Massachusetts Marriott and Stardom's data breach requires 13 fixes, FTC notes.

The Federal Trade Commission (FTC) of the United States has responded to a series of events related to large data breaches at Marriott and Starwood, mandating that these companies implement at least 13 changes to prevent such incidents from recurring.

"Over 344 million customers were affected by three security vulnerabilities that included credit card details and passport information."

Marriott and Starwood Data Breaches

The first three vulnerabilities were discovered since 2018.

"The Marriott International Hotel Group, the latest company to announce a large-scale hack of its customer database."

Information for approximately 327 million guests included names, postal addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, booking dates, and communication preferences. In some cases, the information also included payment card numbers and expiration dates, although the payment card numbers were encrypted using a high-level standard (AES-128). Two elements are required to decrypt the payment card number, and Marriott cannot at this point deny that both have been taken.

Subsequently, two more hacks occurred.

FTC Mandates 13 Changes

The FTC has mandated extensive changes to both hotel groups to prevent future attacks from occurring.

Marriott and Starwood are required to establish comprehensive information security programs to protect customer personal information, implementing policies to retain such information only as long as it is reasonably necessary. They must also create links on their websites that allow American customers to delete personal information related to email addresses or loyalty bonus account numbers. Under this order, Marriott is also mandated to review loyalty bonus accounts based on customer requests and recover stolen loyalty points.

Companies are prohibited from misleadingly explaining how they collect, retain, use, delete, or disclose consumer personal information. They are also limited in their protection of consumer privacy, security, usability, confidentiality, and integrity.

While many regulations may seem basic, they can be quite critical in assessing the current state of affairs. For example, companies should not be able to lie about what they do with your data.

The responder, along with other agents or employees involved directly or indirectly in this order and who have received actual notifications regarding personal information, must not manipulate personal information as follows: A. The collection, retention, use, deletion, or disclosure of the responder's personal information; and B. The range within which the responder protects the privacy, security, usability, confidentiality, or integrity of personal information.

Other requirements include teaching data security to the group, creating a response plan for threats, establishing an intrusion detection policy, and using two-factor authentication.

Photo: A photo by Jonathan Kemper on Unsplash