Marriott’s acquisition of Starwood hotels in 2016 came with a hidden data breach that jeopardized 500 million Starwood customer records. The hack wasn’t announced until this fall, two years after the acquisition. Now Marriott has a lot of explaining to do.

Due diligence – doing all you can to learn about the organization you're taking on – is an important part of any acquisition. In today’s cyber security environment, performing due diligence is vital to uncover any past or present cyber-attacks or cybersecurity risks. No one wants to be the next Marriott.

Whether you're currently in an acquisition, or conducting business as usual, what can your organization do to ensure cybersecurity due diligence?

The Marriott Hack: What Went Wrong?

Marriott International, Inc. acquired Starwood Hotels & Resorts Worldwide in September of 2016 for $13.6 billion. They found out two years later that Starwood’s cybersecurity was compromised prior to the acquisition. The acquisition turned out to be a massive opportunity, specifically for the hackers that had access to Starwood’s IT network.
 
On November 30, 2018, Marriott announced that 500 million guest records from the Starwood reservation database had been compromised since 2014 (two years before Marriott acquired Starwood). Five hundred million compromised records exceeds what we saw in the Equifax data breach (146 million records) and the eBay data breach (145 million records) combined.
 
What may have been Starwood’s oversight in cyber security is now Marriott’s problem. They did not catch it before acquiring the company.
 

Marriott Inherited a Hacked System

Hotel chains, retailers or any organization handling customer records are a target for network hackers. Credit card numbers, whether given over the phone or online, are stored, along with vehicle information, names and other identifying data. This data is valuable to cybercriminals. The Marriott breach resulted in stolen names, addresses, phone numbers, emails, passport numbers and possibly encrypted credit card information from customers.
 
The costs associated with the loss of customer records include a damaged reputation for the brand, legal fees and fees to secure the network going forward. Costs to conduct cybersecurity due diligence up front, instead of in retrospect, are minuscule compared to what Marriott is facing now.
 
How can your organization perform cybersecurity due diligence successfully?
 

Cybersecurity Due Diligence Checklist

The worst part of the whole story is the hackers were in Starwood’s system in 2014, two years before Marriott acquired them. Any attempts at due diligence missed the problem and will cost Marriott greatly
 
As part of merger and acquisition negotiations, cybersecurity needs to be investigated. If you’re not doing your cybersecurity due diligence, you’re asking to be the next Marriott.
 

What should be considered as part of a cybersecurity due diligence checklist:

  • Identify all data that currently exists within the acquired organization's systems and where it is stored

  • Understand any data breaches reported by the acquired organization

  • Assess the acquired network to identify any existing or past vulnerabilities

  • Implement an active detection and response solution within the acquired organization to find hidden threats
If cybersecurity red flags are found within any area of the acquired organization, mergers and acquisitions can see major price changes, or even be called off.
 
Protection against cybersecurity vulnerabilities is becoming more of a common practice in merger and acquisition agreements, but many organizations can’t handle this kind of due diligence testing on their own.
 
Loffler can help you perform cybersecurity due diligence testing to stay on top of your current IT environment and to help in your next merger or acquisition.
 

Contact an IT Security Expert

Read More: The Greatest IT Security Challenge

Randy Anderson

Randy is a CISSP who leads the Cybersecurity and IT Consulting team at Loffler Companies. He is focused on applying his 25+ years of IT experience to help his clients measure, understand and manage information security risk through the vCISO managed consulting program.

Latest News

new-business-phone-system
November 12, 2024

Being Told You Need a New Business Phone System? Read This First.

Originally Published August 2018 Updated November 2024 Upgrading doesn’t have to mean buying new. We’ve worked with ...
Read More
Security Risk Assessments
October 31, 2024

Rethinking Cyber Risk Assessments: Affordable, Painless, and Actually Useful

Imagine waking up to find your business’s sensitive data compromised. Scary, right? But what if I told you that taking ...
Read More
Network Security
October 17, 2024

7 Scary Services Lurking in Your Network

It’s October – a month full of all sorts of spooky things: ghosts, goblins, and the potential for a blizzard when we go ...
Read More