The 2018 Marriott International data breach is a definitive case in why cybersecurity can be the cornerstone of any merger and acquisition (M&A) strategy, yet the most overlooked. What began as a simple acquisition of Starwood Hotels in 2016 revealed a failure of due diligence and technical oversight that had left guest data exposed globally and went undetected for four years.
The breach did not start at Marriott. Rather, it was the Starwood guest reservation system that they had acquired. Threat actors gained initial access as early as July 2014, remaining undetected even as Marriott finalized its acquisition of the hotel chain two years later. The threat actors utilized a Remote Access Trojan (RAT) and credential harvesters to maintain persistence and move laterally through the network.
It wasn’t until September 8, 2018, that Marriott’s security product IBM Guardium flagged a suspicious database query from an administrator account. This query, which sought a count of rows from a table, was an anomaly that the automated software running on top of the database typically wouldn’t perform. Third party forensic investigators were brought in to investigate the query, and found a RAT in the Starwood IT systems less than a week later. There was no evidence that unauthorized parties had accessed customer data yet, so Marriott did not announce the discovery to the public. The investigators continued their work and found Mimikatz, a well known post-exploitation tool used by both security researchers as well as hackers that searches a device’s memory for usernames and passwords. This allowed for the threat actors to acquire various usernames and passwords, allowing them to move laterally throughout the network. The investigators still hadn’t found evidence of a customer data breach. By November 19, 2018, they had finally found and decrypted two compressed, encrypted files that had been exfiltrated: one containing a table of guest data and the other holding passport information. The chain finally notified authorities and went public with its data breach announcement on November 30th of 2018.
The breach compromised up to 500 million guest records, though this number is likely smaller, as there seemed to be multiple records of the same people. Regardless, the sheer volume of exposed data was staggering:
- Passport Numbers: 18.5 million encrypted and 5.25 million unencrypted numbers.
- Payment Data: 9.1 million encrypted payment card numbers, of which 385,000 were still valid at the time of discovery.
- Personal Info: A trove of names, mailing addresses, and phone numbers.
The failures that allowed the persistence of the RAT were systemic. Investigators pointed to a lack of multi-factor authentication (MFA) and network segmentation, which prevented the containment of the breach once the Starwood network was compromised. Furthermore, weak password policies, inadequate firewall configurations, and insufficient logging meant that the attacker’s lateral movement went unnoticed for years.
The consequences piling on Marriott were quick and multi jurisdictional. The company faced allegations of violating various state consumer protection laws and personal information protection laws in the United States and United Kingdom. Beyond technical failures, the Federal Trade Commission (FTC) accused Marriott of deceiving consumers by claiming to have reasonable security measures in place.
| Entity | Penalty/Settlement | Impacted Group |
|---|---|---|
| UK ICO | £18.4 Million Fine | 7 Million UK Residents |
| 50 US States | $52 Million Settlement | 131.5 Million Americans |
The Marriott breach serves as a reminder that when you acquire a company, you acquire its vulnerabilities. Security researchers note that because the stolen data never appeared for sale on the dark web, it was likely the work of state sponsored actors seeking data on global travelers for foreign intelligence agencies.
Through this case, it is clear that a thorough cybersecurity assessment is not an optional part of a merger. Organizations must map out detailed asset inventories, have solid identity access management controls, understand exactly what they are protecting before integrating vulnerable legacy systems into their own networks, and most importantly implement zero-trust policies. Cybersecurity in the corporate environment isn’t something to be taken lightly. It does not just lead to profit losses–it allows attackers to breach confidential data that not only damages a company’s reputation with it’s customers, but opens the door for future breaches in systems that face similar corporate negligence.
Sources
- Huntress: Marriott Data Breach: What Happened, Impact, and Lessons | Huntress
- Daily Security Review: Marriott Data Breach: What Happened, Impact, and Lessons | Huntress
- ZDNET: Marriott CEO shares post-mortem on last year’s hack | ZDNET
- Mitratech: The Marriott/Starwood Data Breach: Why Third-Party Risk Management is Critical During M&A | Mitratech
