News -

Marriott International acquires data breach

The world’s biggest hotel company Marriott International has announced that up to 500 million guest records may have been exposed in a data breach targeting the Starwood Hotel part of the business.

The breach was caused by unauthorised access to Starwood’s database, which happened in 2014, resulting in the names, phone numbers, and passport numbers of 327 million customers being put at risk. Payment details of some customers may also have been exposed.

Since Marriott International acquired Starwood Hotels for $14bn in 2016, this story highlights the need for thorough cyber due diligence during the M&A process.

Ollie Whitehouse, global chief technical officer at NCC Group, commented: “Marriott should have identified this breach through their cyber due diligence of Starwood in 2016 when it acquired the company. As result of buying a breach they will face a number of challenges at a board level around the levels of governance and diligence within the business. Had it performed a detailed compromise assessment as part of its due-diligence activity, the organisation’s board would have been informed of the breach and been able to make a decision based on risk or put other warranties in place.

“Since the compromise started in 2014, the breach doesn’t fall under the remit of GDPR. However, the fallout would be incredibly severe under this regulation, and therefore any organisation looking to undergo an M&A deal now or in the future should learn from this example and ensure a comprehensive cyber security and compromise assessments are carried out to inform their understanding of risk.”

Topics

  • Technology, general

Categories

  • insights & viewpoints

Contacts

Related content

  • International Data Privacy day: How to face your data with confidence

    Having good quality data protection initiatives leads not only to important regulatory compliance but can also give organisations a competitive advantage and contribute to maintaining brand reputation. We have compiled some of the best tips to getting started with a free downloadable guide to confidently address data protection and demystify any privacy concerns.

  • Don’t be driven by the fines of others

    ​The General Data Protection Regulation (GDPR) was implemented in May last year. Despite a lot of talk around the high level of fines associated with the new legislation, there were not record numbers of penalties issued by the Information Commissioner’s Office (ICO) under the new data protection regime – in fact, just over 90 fines were issued in the following twelve months