FTC orders Marriott to pay $52M and enhance security practices

The Federal Trade Commission has ordered Marriott International, Inc. to bolster its inadequate security program and pay a $52 million penalty following a series of data breaches that exposed sensitive customer data.

Marriott and its subsidiary Starwood Hotels & Resorts Worldwide LLC, which it acquired in 2016, experienced three massive data breaches between 2014 and 2020 that required an investigation by the Federal Trade Commission (FTC). In a press release Wednesday, the FTC alleged that security shortcomings led to those breaches and announced two proposed settlements against the hotel giant.

One settlement required Marriott to pay $52 million and to strengthen its security practices. In a separate proposed settlement, Marriott and Starwood "also agreed to provide all of its U.S. customers with a way to request deletion of personal information associated with their email address or loyalty rewards account number," according to the FTC.  

The settlements and complaint highlighted several basic security protocols that were missing from Marriott and Starwood's cybersecurity program. More than 344 million customers were affected by the data breaches, according to the FTC. Stolen information included names, mailing addresses, email addresses, phone numbers, month and day of birth and loyalty account information.

FTC's investigation into the data breaches revealed that Marriott and Starwood failed to implement password, access and firewall controls, as well as network segmentation. Additionally, the FTC alleged that the hotels did not patch outdated software and systems, or adequately log and monitor network activity. The agency also stated that Marriott and Starwood did not deploy adequate MFA, a relatively basic security practice that the infosec industry has pushed for years.

The FTC said the first breach in 2014 went undetected for 14 months. The second breach occurred from 2014 to 2018 and exposed 5 million unencrypted passport numbers. The third breach affected Marriott's internal network and went undetected from 2018 to 2020.

Settlement requirements include data deletion and minimization policies so the hotels only hold data for a limited timeframe. Additionally, the hotels are required to implement and maintain an effective cybersecurity program and certify compliance to the FTC annually for 20 years. The agency is also requiring a third-party assessment of the hotels program every two years.

In a separate proposed settlement, FTC said attackers managed to export additional customer information from Starwood's systems even after the second breach was discovered.

"Following the Second Breach, Respondents' forensic examiner assessed Starwood's systems and identified similar failures that resulted in the First Breach, including inadequate firewall controls, unencrypted payment card information stored outside of the secure cardholder data environment, lack of multifactor authentication, and inadequate monitoring and logging practices," FTC wrote in the complaint. "Respondents failed to provide reasonable or appropriate security for the personal information that they collected and maintained about consumers."

The unsealed complaint said Marriott provided "deceptive information security statements" and it expanded on the hotel's poor security practices. The FTC said that because of inadequate password controls, "employees often used default, blank or weak passwords."

The investigation also found that the hotels did not terminate the accounts of former employees "in a timely manner." The complaint also cited inadequate logging capabilities, which made it difficult for security teams to distinguish between authorized and unauthorized activity.

"This failure prevented Respondents from detecting intruders in their networks -- for several years during the Second Breach -- and further prevented them from determining the information exfiltrated from their networks," the complaint said.

The FTC said its commission voted 3-0 to accept the proposed settlements and consent agreement; two of the five commissioners were recused in the case. The agreement is subject to public comment and final approval by the commission after 30 days.

TechTarget Editorial contacted Marriott for comment; the company referred to a statement published on Wednesday.

"As part of the resolutions with the FTC and the State Attorneys General, Marriott will continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress," Marriott wrote in the statement.

Dan Schiappa, chief product and services officer at Arctic Wolf, told TechTarget Editorial that while the threat landscape that massive organizations like Marriott face is constantly evolving, the basics of security hygiene are not.

"Implementing identity access management tools like multi-factor authentication, adhering to strong password controls and regular patching and updating schedules, as well as diligent network monitoring are all foundational elements of a comprehensive security plan," Schiappa said in an email. "Data security is essential to a resilient security posture, and the allegations against Marriott should serve as a warning beacon for organizations who’ve not taken their measures seriously."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.