I often cite Marriott as a company that took a big security hit and didn’t cost them when my lens is that of stock price.
Marriott International and Starwood Hotels must pay $52 million and enhance their information security following three major data breaches affecting over 344 million customers. The FTC’s settlement mandates improved security measures, including customer data deletion requests and biennial independent assessments. The breaches between 2014 and 2020 involved inadequate security practices, leading to unauthorized access to sensitive customer information. As part of a settlement, Marriott must delete personal data upon request, restore lost loyalty points, and implement a comprehensive security program, including multi-factor authentication.
Of course, VentureBeat rains on my parade here, focusing on how Multi-factor authentication (MFA) is no longer sufficient to protect against sophisticated cyber threats. Traditional methods are vulnerable to attacks, including social engineering and man-in-the-middle tactics. Enterprises are encouraged to adopt stronger authentication methods, such as passwordless solutions and advanced analytics while recognizing that MFA remains a fundamental security component.
Speaking of stronger authentication methods, Microsoft is enhancing passkey support in Windows 11 with a redesigned Windows Hello experience that allows users to sync passkeys to their Microsoft account or store them with services like 1Password. A new API will enable third-party password managers to integrate directly, improving authentication across devices. The updated Windows Hello prompt will facilitate passkey setup and usage via facial recognition, fingerprint, or PIN. These features will first be available to Windows Insiders in the coming months, with more details expected at the Authenticate 2024 conference.
Why do we care?
Timeframe appears to be the change – a significant breach can impact, and the impact will be significantly more time. While large enterprises may weather breaches financially, SMBs (small and medium-sized businesses) often can’t afford the operational damage. Helping clients implement proactive security strategies—like passwordless solutions—can be a major differentiator.
Marriott’s case might illustrate how companies can survive breaches without significant financial fallout in the short term, but even that does seem to catch up. I bet $52 million would have bought a lot of cyber preparedness.
I’m also going to note: How many of your vendors are using passwordless authentication to protect the incredibly powerful systems they offer?

