미국 연방 소비자 보호처(FTC)는 대규모 마리어토트와 스타워드 데이터 유출에 대한 13개의 수정 사항이 필요하다고 밝혔습니다.

The U.S. Department of Commerce directed companies to implement at least 13 changes in response to a series of events related to the large-scale data breaches involving Marriott and Starwood.

More than 34 million customers were affected by three separate security breaches, with personal information including credit card and passport details exposed...

The Marriott and Starwood Data Breach Incident

The first one occurred in 2018 as part of the Samsung Hyatt's longest-running breach.

Miracle International Hotel Group announced that it had become one of the companies to have its customer database hacked on a large scale recently.

Information for approximately 32.7 million guests is included, which consists of names, addresses, phone numbers, email addresses, passport numbers, Starwood Premium Guest ("SPG") account information, date and place of birth, gender, check-in and check-out information, combinations of reservation dates and communication preferences. In some cases, credit card numbers and expiration dates are also included, but the credit card numbers are encrypted using a high-level encryption standard (AES-128). To decrypt credit card numbers, two components are required, and Marriott cannot exclude the possibility that both have been obtained at this point.

Two additional hacking incidents followed.

The FTC directs 13 changes

The FTC directed the two hotel groups to implement thorough changes so they could no longer replicate why the attack was successful and respond accordingly.

Futuris and Starwood were instructed to set comprehensive information security programs to protect customers' personal information, implement policies that keep personal information only for as long as it is reasonably necessary, and install a link on their website requesting that American customers delete personal information related to their email addresses or loyalty reward account numbers. Additionally, Futuris was required to review customer loyalty reward accounts upon request and recover lost loyalty points.

Companies cannot misrepresent how they collect, maintain, use, delete, or disclose consumers' personal information; how companies understate the range of privacy, security, availability, reliability, or consistency they protect with respect to personal information; or how they misunderstand these concepts.

Despite the simplicity of the standards, these regulations serve as critical evidence that how bad situations can become. For example, a company cannot lie about your data.

In response to these guidelines, one must not misrepresent: A. The collection, maintenance, use, deletion, or disclosure of a respondent's personal information; B. The level of security, reliability, usability, and secrecy or integrity of the personal information held by a respondent.

Other requirements include establishing education plans for data security and threat response policies, implementing two-factor authentication, and developing policies to detect breaches.

Jonathan Kemper's photo