Analysis: Marriott Breach

Marriott is the latest major organization to fall victim to a data breach. The company announced last Friday that up to 500 million guest reservations had been stolen from its Starwood database from a security breach that dates back to 2014.

Details of the breach reveal that attackers were able to obtain sensitive customer information from within Marriott’s internal network. Data that was accessed includes reservation information and personal details such as names, dates of birth, gender, reservation dates, passport numbers, and encrypted credit card numbers. Marriott states that it is unknown whether the keys needed to decrypt credit card numbers were also obtained by the attackers. 

Marriott’s disclosure of the breach has been less than ideal. The organization emailed customers regarding the breach from the domain email-marriott.com. The website of this domain displays a 503 internal server error, in addition to lacking an SSL certificate to establish a secure HTTPS connection with visitor browsers. A user receiving notice from this domain would be justified in feeling wary of the email’s legitimacy, and emphasizes the importance of organizations having a proper incident communications plan in place before an incident actually occurs.

Marriott’s breach notification to its customers reveals that attackers had unauthorized access to the Starwood network via its payment system since 2014, which predates when the two companies merged in 2015. This timeline suggests that Starwood and Marriott were unaware of the data breach at the time that the merger was completed. 

News of this data breach highlights the importance of completing a thorough and independent cybersecurity assessment during mergers and acquisitions. Starwood’s preexisting breach is now negatively impacting the Marriott brand, with stock values dropping since disclosure of the breach, as well as a tarnishing of the Marriott name. A complete cybersecurity assessment during the merger process could have made it possible to identify, contain, and eradicate the threat actor on Starwood’s network before it integrated with Marriott. In addition to reputational damage and a decline in stock prices, cleaning up the breach could cost Marriottbetween $10-$150 per record stolen, on top of any GDPR or other regulatory fines. 

Mergers and acquisitions involve combining organizational assets, but also combining organizational risks. A full cybersecurity assessment should be a standard part of the M&A process, as it is necessary to prevent inheriting improper security controls and risking loss of customer data and trust.