The Federal Trade Commission (FTC) has ordered Marriott International and Starwood Hotels to define and implement a robust customer data security scheme following failures that led to massive data breaches.

After acquiring Starwood in 2016 and failing to implement "reasonable data security," Marriott International suffered three major data breaches impacting 344 million customers globally.

Order for stronger measures

Now, the FTC has ordered Marriott and its subsidiary, Starwood, to establish a security program that would safeguard the clients’ sensitive data from hackers and provide them better control over their data.

According to the published order, the following key measures need to be taken: 

1. Establish, implement, and maintain a comprehensive information security program that encompasses encryption, access controls, multi-factor authentication, vulnerability management, and incident response plans
2. Marriott must maintain policies to retain personal information only as long as reasonably necessary for its purposes, and include a link on its website for U.S. consumers to request deletion of their personal information
3. Implement logging and monitoring of IT assets to detect anomalous activities and security events within 24 hours
4. Conduct independent, biennial assessments of the information security program for 20 years and report to the FTC any identified gaps addressed
5. Provide a method for U.S. consumers to review suspected unauthorized activity in their loyalty rewards accounts and restore those points in cases of a breach
6. Inform the FTC within 10 days of any required notifications to governmental entities about security breaches

The FTC order mandates that Marriott and Starwood implement the required comprehensive information security program and related measures within 180 days from the date the order takes effect, which is December 20, 2024, setting a deadline for June 17, 2025

The order will remain in effect for 20 years, with an option for extension under specific conditions.

Past incidents

In 2014, Starwood’s payment systems were hacked, exposing customer data, with disclosure delayed by 14 months.

Another breach that lasted between 2014 and 2018 compromised 339 million guest records, including unencrypted passport numbers. The incident impacted only guests at Starwood properties, whose reservation database had been breached since 2014 and Marriott inherited the compromise when it acquired Starwood.

In 2018, hackers accessed data of 5.2 million Marriott guests, but this was only detected in 2020, the delay in detection and disclosure leaving customers vulnerable for the entire time.

In October 2024, Marriott settled with the FTC over the above failures, agreeing to pay $52,000,000 to 49 states to resolve claims related to these data breaches.