Marriott’s acquisition of Starwood hotels in 2016 came with a hidden data breach that jeopardized 500 million Starwood customer records. The hack wasn’t announced until this fall, two years after the acquisition. Now Marriott has a lot of explaining to do.
Due diligence – doing all you can to learn about the organization you're taking on – is an important part of any acquisition. In today’s cyber security environment, performing due diligence is vital to uncover any past or present cyber-attacks or cybersecurity risks. No one wants to be the next Marriott.
Whether you're currently in an acquisition, or conducting business as usual, what can your organization do to ensure cybersecurity due diligence?
The Marriott Hack: What Went Wrong?
Marriott International, Inc. acquired Starwood Hotels & Resorts Worldwide in September of 2016 for $13.6 billion. They found out two years later that Starwood’s cybersecurity was compromised prior to the acquisition. The acquisition turned out to be a massive opportunity, specifically for the hackers that had access to Starwood’s IT network.
On November 30, 2018, Marriott announced that 500 million guest records from the Starwood reservation database had been compromised since 2014 (two years before Marriott acquired Starwood). Five hundred million compromised records exceeds what we saw in the Equifax data breach (146 million records) and the eBay data breach (145 million records) combined.
What may have been Starwood’s oversight in cyber security is now Marriott’s problem. They did not catch it before acquiring the company.
Marriott Inherited a Hacked System
Hotel chains, retailers or any organization handling customer records are a target for network hackers. Credit card numbers, whether given over the phone or online, are stored, along with vehicle information, names and other identifying data. This data is valuable to cybercriminals. The Marriott breach resulted in stolen names, addresses, phone numbers, emails, passport numbers and possibly encrypted credit card information from customers.
The costs associated with the loss of customer records include a damaged reputation for the brand, legal fees and fees to secure the network going forward. Costs to conduct cybersecurity due diligence up front, instead of in retrospect, are minuscule compared to what Marriott is facing now.
How can your organization perform cybersecurity due diligence successfully?
Cybersecurity Due Diligence Checklist
The worst part of the whole story is the hackers were in Starwood’s system in 2014, two years before Marriott acquired them. Any attempts at due diligence missed the problem and will cost Marriott greatly.
As part of merger and acquisition negotiations, cybersecurity needs to be investigated. If you’re not doing your cybersecurity due diligence, you’re asking to be the next Marriott.
What should be considered as part of a cybersecurity due diligence checklist:
-
Identify all data that currently exists within the acquired organization's systems and where it is stored
-
Understand any data breaches reported by the acquired organization
-
Assess the acquired network to identify any existing or past vulnerabilities
- Implement an active detection and response solution within the acquired organization to find hidden threats
If cybersecurity red flags are found within any area of the acquired organization, mergers and acquisitions can see major price changes, or even be called off.
Contact an IT Security Expert
Read More: The Greatest IT Security Challenge