Skip to main content

Marriott International, Inc. has long highlighted core values of putting people first, pursuing excellence, acting with integrity, and serving the world. Today, the FTC and Attorneys General from 49 states and D.C. are jointly announcing an action that suggests the company may want to add a fifth value to that list: protecting customer data and privacy. 

According to today’s proposed complaint, Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide, LLC had data security failures that led to at least three breaches between 2014 and 2020. First, the FTC says between 2014 and 2018 bad actors were able to take advantage of weak data security to steal 339 million consumer records from Marriott’s subsidiary, Starwood in two separate breaches. That included millions of passport, payment card, and loyalty numbers. Then, in 2020, according to the complaint, Marriott told its customers bad actors had breached Marriott’s own network through a franchised hotel.  This time the intruders stole 5.2 million guest records, which included significant personal information and loyalty account information. The stolen information was detailed enough, the complaint explains, that bad actors could use it to create highly successful, targeted phishing campaigns to commit fraud.

To settle the FTC’s case, Marriott and Starwood have agreed to a proposed order that will require them to implement processes and checks designed to prevent future problems by protecting personal information, detecting problems as they arise, and fixing any issues in a timely manner. Marriott has also agreed to pay $52 million as part of related settlements with state enforcers.

Here are some key lessons from the Marriott case.

  • Check out security practices when you acquire another company. The FTC’s complaint says Starwood’s breach was already happening before Marriott acquired the company and continued through and after the acquisition process. Remember that when you acquire a company, you’re not only buying the good stuff like its computers, software, systems, databases, and networks. You’re also buying the problems, like vulnerabilities, misconfigurations, and other security issues that may exist. Make sure you have a plan to bring the acquired company on board securely. And after the acquisition, take a careful look at the acquired company’s information security program. When – not if – you find problems, make a plan to address them. Don’t integrate the acquired company’s systems and technology into your network until you can do so safely and securely.
  • Use a multi-layered approach to data security. To protect personal information from bad actors, start with a risk assessment that looks at both internal and external risks. Go beyond basic security. And when you’ve figured out where the issues are, put multiple layers of controls in place. A few basic measures like training your employees to recognize attacks, using access controls, updating software, and having plans in place to deal with breaches when they occur can go a long way.
  • Collect and keep only the data you need. Malicious actors can’t steal what isn’t there, so give careful thought to what data you collect before you collect it, and don’t keep data longer than you need it. And make sure you’re giving your customers an easy way to let you know they want you to delete their personal information.
  • Vendor oversight is more important than ever. If you’re hiring someone to help you with your business, whether it’s to build your website or for another reason, make sure you choose vendors who make data security a priority. Use contracts to make sure your vendors have controls in place, and monitor your vendors’ activity to make sure they are complying.
  • Don’t forget franchisees. When you are working on your risk assessment, remember to take a closer look at your relationships with franchisees. Do your contracts require employee training and data security programs? Are you conducting audits? Make sure you’re watching for problems.

Learn more about protecting your customers’ data and privacy at Start With Security

Get Business Blog updates