The Federal Trade Commission (FTC) has responded to a series of massive Marriott and Starwood data breaches, ordering the companies to make no fewer than 13 changes to ensure it cant happen again.More than 344 million customers were impacted by three separate security breaches, which revealed personal data that included credit card details and passport information Marriott and Starwood data breachesThe first of the three breaches dates all the way back to 2018.The Marriott International hotel group is the latest company to announce a large-scale hack of a customer database. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.There were two further hacks after this.FTC orders 13 changesThe FTC has now ordered both hotel groups to implement sweeping changes to guard against any repetition of the failings that allowed the attacks to succeed.Under the order, Marriott and Starwood are required to establish a comprehensive information security program to help safeguard customers personal information, implement a policy to retain personal information only for as long is reasonably necessary, and establish a link on their website for U.S. customers to request for personal information associated with their email address or loyalty rewards account number to be deleted. The order also requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points.The companies are also prohibited from misrepresenting how they collect, maintain, use, delete or disclose consumers personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information.Given how basic many of the provisions are, they serve as a pretty damning indictment of how bad things must have been. For example, the companies mustnt lie about what they do with your data:Respondents, Respondents officers, agents, and employees, and all other persons in active concert or participation with any of them who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not misrepresent in any manner, expressly or by implication:A. Respondents collection, maintenance, use, deletion, or disclosure of Personal Information; andB. The extent to which Respondents protect the privacy, security, availability, confidentiality, or integrity of Personal Information.Other requirements are that the group train its employees in data security, create plans for responding to threats, establish policies to detect intrusions, and use two-factor authentication.Photo byJonathan KemperonUnsplashAdd 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel