Data Breachescritical

Marriott Starwood: 500 Million Guests Exposed in a Breach Hidden Inside an Acquisition

Marriott acquired Starwood in 2016 without realising attackers had been inside Starwood's guest reservation database since 2014. By the time the breach was discovered in 2018, 500 million records had been exposed for four years.

Marriott International / Starwood·2018·2 min read

Background

Marriott International acquired Starwood Hotels and Resorts in September 2016 for $13.6 billion. Starwood's guest reservation system, which Marriott was integrating, had been compromised since 2014 — before the acquisition announcement.

The Attack

Attackers — attributed to a Chinese state-sponsored group — had installed a Remote Access Trojan in Starwood's reservation database in 2014 and maintained persistent access through the acquisition and subsequent integration. The breach was discovered only in September 2018 when Marriott's internal security tool flagged an unexpected database query attempting to export data. Investigators found the attackers had been exfiltrating records for four years, accumulating data on 500 million guests including names, addresses, phone numbers, email addresses, passport numbers, and some payment card information.

Response

Marriott notified all affected guests and offered free passport reregistration for those who believed their passport numbers were compromised. The UK ICO fined Marriott £18.4 million under GDPR. Marriott faced class actions globally. The company implemented enhanced due diligence for future M&A cybersecurity assessments.

Outcome

The 500 million record breach is the second-largest by account count after Yahoo. Passport numbers in particular are valuable for nation-state intelligence — they can be used to track travel patterns. The case established that acquiring companies inherit the cybersecurity liabilities of their targets.

Key Takeaways

  1. Cybersecurity due diligence in M&A must include full forensic assessment of target systems
  2. Attackers can persist undetected for years — assume breach and hunt proactively
  3. Passport and government ID data requires the highest encryption and access controls
  4. Acquired infrastructure must be treated as hostile until thoroughly assessed
M&A securitynation-statepersistent accesspassport dataGDPR

More in Data Breaches

2013high

Target Point-of-Sale Breach

2 min readData Breaches
2022critical

LastPass Breach: Lessons in Password Manager Security

2 min readData Breaches
2013high

Adobe's 153 Million Account Breach and Embarrassing Password Hints

2 min readData Breaches