Marriott International has agreed to settle $52 million in penalty charges brought by the federal trade commission (FTC) after suffering multiple breaches over the last ten years.
The hotel chain has suffered a number of cybersecurity incidents in recent years, but the initial breach is reported to have originated from Marriott’s subsidiary Starwood Hotels, which it acquired in 2016.
As a result, experts have warned the case underscores the risks attached with not conducting adequate steps to mitigate cyber risks when acquiring new entities.
The FTC claimed the multiple breaches Marriott suffered in the previous decade affected more than 300 million customers around the world, giving threat actors access to passport information, payment card numbers, loyalty numbers, DoBs, and email addresses.
In one instance in March 2020, Marriott had to inform 5.2 million guests that their personal details were accessed by threat actors, after leveraging the stolen login credentials of two employees.
The charges assert that Marriott’s poor data security and failure to properly secure its computer systems led to the incidents. Basic measures like password protection and network monitoring were found to have led to the attackers being able to remain on the network for a number of years.
In a statement acknowledging the settlement, Marriott said it will “continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress”.
The firm added that it is offering US customers a process to request the deletion of their personal information as well as implementing an MFA option for these members’ accounts, although notably not requiring users to use the extra layer of protection.
Marriott failed to carry out due diligence on Starwood’s cyber posture
William Wright, CEO of Closed Door Security, said that while any extra precautions being taken by the company are important, this was the bare minimum and these measures should have already been in place.
“While it’s positive to hear that Marriott will now prioritize its cyber defenses, it really should have been doing this from the very beginning. As one of the world’s largest hotel groups that holds masses of sensitive data, cyber security should never have been optional,” he explained.
“This also occurred because Marriott was failing to adopt basic security practices which made it much easier for criminals to breach its systems.”
Wright noted the fact that the initial incident the firm suffered was a result of inheriting a compromised reservation platform used by its Starwood subsidiary during its acquisition in 2016, stating that it reveals a lack of scrutiny of its cyber hygiene.
“While Marriott essentially inherited the initial breach when it acquired Starwood, it did highlight the company had not carried out due diligence during the M&A process. Other organizations should learn from this. Never overlook the cyber practices of an organization during a purchase, because their failings will soon become your own, which could be very costly down the line.”
Wright described the fine handed down by the FTC as more akin to a slap on the wrist to a major organization like Marriott, mirroring similar criticism of the penalty it received from the Information Commissioner's Office (ICO), the UK’s data regulator, for its lackluster cyber posture.
“It also follows in the wake of the ICO's minor fine against the organization in 2020. But, if the regulators really want to encourage businesses to improve their cyber hygiene, this doesn’t send out a good message. It certainly won’t be enough to deter other businesses from being lax with their defenses.”
