Highlights

*The program must be established by June 2025.

*The hotel chain must provide U.S. consumers with greater control over data.

*The order stems from Marriott’s data breaches exposing 344 million guests’ information.

Overview

The U.S. Federal Trade Commission (FTC) has ordered Marriott International and Starwood Hotels to implement a 20-year information security program for their role in three data breaches that compromised the personal information of 344 million guests worldwide.

This action follows an FTC complaint in October 2024, which accused the hotel giant of misleading consumers by allegedly falsely claiming to have robust data security measures in place. On the day the charges were announced, Marriott agreed to pay $52 million in penalties to 49 states and the District of Columbia to address these violations.

FTC Order

The FTC has set a deadline of 17 June 2025 for Marriott International to fulfill a series of mandatory compliance measures.

These include:

1. Information Security Program
Marriott must establish and maintain a comprehensive information security program designed to safeguard personal data. This program must include annual risk assessments, encryption protocols, incident response plans, multi-factor authentication, and vendor management policies.

2. Training and Awareness
All employees handling personal information must receive annual, role-appropriate training. Marriott must also ensure that its franchised hotels implement and maintain comparable training programs for staff with access to sensitive data.

3. Monitoring and Reporting
Marriott is required to monitor IT assets in real-time to detect and respond to security anomalies and threats. In the event of a breach, the company must notify the FTC within 10 days of informing government authorities about the incident.

4. Data Retention and Consumer Rights
The company must enforce a data retention policy ensuring personal information is kept only as long as necessary for its original purpose. Marriott must also provide clear online tools for U.S. consumers to request data deletion and review their Loyalty Rewards Program accounts for unauthorized activity. If unauthorized access is verified, Marriott must promptly restore affected loyalty points.

5. Independent Assessments
For the next 20 years, Marriott must undergo independent, third-party security assessments every two years to verify compliance with security requirements. Additionally, the company must maintain detailed records, including risk assessments, training documentation, vendor agreements, and incident reports, for a minimum of five years.

6.Compliance and Transparency
Marriott’s CEO must certify annually that the company fully complies with the FTC order and disclose any non-compliance material. The hotel giant must also provide full transparency and access to FTC representatives during compliance reviews.

Background

The FTC’s order stems from alleged security failures linked to three major data breaches that occurred within Marriott International and Starwood Hotels between 2014 and 2020.

The first breach began in 2014 within Starwood’s systems. After going undetected for 14 months, the breach exposed payment card information of 40,000 customers.

In 2018, Marriott discovered another breach tied to Starwood’s systems. Remaining undetected for four years, this incident compromised 8 million credit card records and 25 million unencrypted passport numbers, ultimately costing Marriott an estimated $2 billion in fines and legal expenses.

In 2020, Marriott uncovered yet another breach, originating from unauthorized access to its network dating back to 2018, exposing the personal data of over 5.2 million guests.

Although outside the purview of the FTC’s charges, a fourth breach occurred in 2022, where cybercriminals used social engineering techniques to manipulate hotel staff and gain access to 20 gigabytes of guest data.

Moving Forward

Nearly a decade after the initial breach, the FTC’s enforcement against Marriott International is a clear message to hospitality: data security is not optional—it’s a fundamental requirement to operate in the increasingly digital consumer marketplace.

Data security must become embedded into every facet of hotel operations to enable cyber threat resilience and preserve guest trust.

Feeling overwhelmed? Don’t be. As the leading experts in hospitality data protection, VENZA’s Customer Success Team offers expert guidance and customized solutions for hoteliers of all sizes.

Ready to get started? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.