Massive Marriott and Starwood data breaches require 13 fixes

The U.S. Federal Trade Commission (FTC) responded to a series of questions Massive Marriott and Starwood data breachordering these companies to make no less than 13 changes to ensure that similar situations do not happen again.

More than 344 million customers affected by three distinct Safety Violations revealed personal data These include credit card details and passport information…

Marriott and Starwood data leaked

First of three violations The time goes back to 2018.

Marriott International is the latest company to announce a massive hack of its customer database.

“For approximately 327 million of those guests, this information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information , booking dates and communication preferences. For some, this information also includes payment card numbers and payment card expiration dates, but the payment card numbers are encrypted using Advanced Encryption Standard encryption (AES-128). Decrypting a payment card number requires two components, and Marriott cannot rule out the possibility that both components have been compromised.

Two more hacking attacks have occurred since then.

13 changes to FTC order

Federal Trade Commission Order now Both hotel groups have implemented sweeping changes to prevent a recurrence of the mistakes that led to the successful attack.

Under the order, Marriott and Starwood must establish comprehensive information security programs to help protect customers’ personal information, implement a policy of retaining personal information only for as long as is reasonably necessary, and establish a link on their websites for U.S. customers to request Delete personal information associated with their email address or loyalty rewards account. The order also requires Marriott to review loyalty rewards accounts and restore stolen loyalty points upon customer request.

A company is also prohibited from misrepresenting how it collects, maintains, uses, deletes, or discloses consumers’ personal information; and the extent to which it protects the privacy, security, availability, confidentiality, or integrity of personal information.

Given the basic nature of many of these provisions, they serve as a damning indictment of how bad things are. For example, companies cannot lie about how they process your data:

Respondent, Respondent’s officers, agents, and employees, and all other persons actively consistent with or participating in any of them who receive actual notice of this Order, whether directly or indirectly with respect to any product or When acting on the Services, no misrepresentation shall be made in any way, express or implied:
A. Respondent collects, maintains, uses, deletes or discloses personal information; and
B. The extent to which the respondent protects the privacy, security, availability, confidentiality, or integrity of personal information.

Other requirements include the group conducting data security training for its employees, developing a plan to deal with threats, developing a strategy for detecting intrusions and using two-factor authentication.

photography: Jonathan Kemper exist Not splashed