Last week the Federal Trade Commission (FTC) finalized an order requiring hotel chain Marriott and its subsidiary Starwood Hotels to implement comprehensive data security programs.  This order was made in response to charges brought by the FTC against Marriott and Starwood for three major data breaches, the first of which extended for 14 months ending in November of 2015 and affected more than 40,000 Starwood customers.  The second data breach went on for four years and affected approximately 339 million customers of Starwood. The third data breach went on between 2018 and 2020 and affected 5.2 million Marriott customers.  Sensitive personal information was compromised in each of these data breaches and were largely caused by Mariott’s and Starwoods’ security failures including inadequate password controls, insuffiient access controls, outdated software, lack of proper network monitoring and failure to use multifactor authentication.

Previously, Marriott had agreed to a $52 million settlement with 49 states to settle similar security failure allegations.

As a result of the settlement  Marriott customers can ask for review of their Bonvoy account for unauthorized or suspicious activity and for the restoration of loyalty points lost through unauthorized access to the account.  Marriott is also required to implement a policy to retain personal information for only as long as reasonably necessary to fulfill the purpose for which it was collected.  This is something all companies should do.  Also, the settlement allow customers to request deletion of personal information associated with an email address and/or a loyalty rewards number.  Marriott is also now required to put in place a comprehensive information security program including dual factor authentication, encryption and other safeguards.  Again this is something all companies should be required to do.

If you are not a subscriber to Scamicide.com and would like to free receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of http://www.scamicide.com and type in your email address where it states “Sign up for this blog.”