Source URL: https://www.theregister.com/2024/10/09/marriott_settlements_data_breaches/
Source: The Register
Title: Marriott settles for a piddly $52M after series of breaches affecting millions
Feedly Summary: Intruders stayed for free on the network between 2014 and 2020
Marriott has agreed to pay a $52 million penalty and develop a comprehensive infosec program following a series of major data breaches between 2014 and 2020 that affected more than 344 million people worldwide.…
AI Summary and Description: Yes
Summary: Marriott has settled data breach allegations with a $52 million penalty and must enhance its information security measures following multiple significant breaches from 2014 to 2020 that compromised over 344 million records. This case underscores the importance of robust cybersecurity practices and compliance strategies in the hospitality industry.
Detailed Description: Marriott International is facing significant repercussions following a series of data breaches that compromised sensitive information of millions of customers. The details of the settlements shed light on the importance of information security and compliance in large organizations.
– **Financial Penalty**:
– A $52 million settlement was agreed upon, which will be distributed among 49 state attorneys general and the District of Columbia.
– This penalty represents a fraction of Marriott’s significant revenue, highlighting the monetary risk associated with inadequate cybersecurity measures.
– **FTC Settlement**:
– The Federal Trade Commission required Marriott to enhance cybersecurity practices and certify compliance for 20 years.
– Marriott is mandated to implement changes such as a customer deletion request process for personal data.
– **Data Breaches Overview**:
– The text details three major breaches:
– **First Breach**: Involving payment info of over 40,000 Starwood customers, highlighted by a notification of data theft occurring prior to Marriott’s acquisition of Starwood.
– **Second Breach**: A prolonged breach affecting over 339 million customer records, including 5.25 million unencrypted passport numbers, going undetected for over four years.
– **Third Breach**: Impacted 1.8 million Americans and took nearly two years to detect, compromising a wide range of personal data.
– **Security Failures**:
– The breaches were attributed to poor security practices, including:
– Inadequate password management.
– Insufficient access control mechanisms.
– Lack of network segmentation.
– Inactive multi-factor authentication.
– Poor log management and network monitoring.
– **Commitments to Security Improvements**:
– Development and implementation of an information security program, subject to biannual third-party assessments.
– Enhanced security measures such as multi-factor authentication (MFA), network segmentation, and data encryption.
– Measures to limit data retention and provide customers with options to manage their data privacy actively.
This case emphasizes the critical need for robust cybersecurity practices in large organizations, particularly in sectors like hospitality that handle vast amounts of personal information. It serves as a cautionary tale for compliance professionals to ensure stringent data security measures, regulatory compliance, and proactive risk management strategies are in place to prevent similar incidents.