Marriott International acquires data breach

The world’s biggest hotel company Marriott International has announced that up to 500 million guest records may have been exposed in a data breach targeting the Starwood Hotel part of the business.

The breach was caused by unauthorised access to Starwood’s database, which happened in 2014, resulting in the names, phone numbers, and passport numbers of 327 million customers being put at risk. Payment details of some customers may also have been exposed.

Since Marriott International acquired Starwood Hotels for $14bn in 2016, this story highlights the need for thorough cyber due diligence during the M&A process.

Ollie Whitehouse, global chief technical officer at NCC Group, commented: “Marriott should have identified this breach through their cyber due diligence of Starwood in 2016 when it acquired the company. As result of buying a breach they will face a number of challenges at a board level around the levels of governance and diligence within the business. Had it performed a detailed compromise assessment as part of its due-diligence activity, the organisation’s board would have been informed of the breach and been able to make a decision based on risk or put other warranties in place.

“Since the compromise started in 2014, the breach doesn’t fall under the remit of GDPR. However, the fallout would be incredibly severe under this regulation, and therefore any organisation looking to undergo an M&A deal now or in the future should learn from this example and ensure a comprehensive cyber security and compromise assessments are carried out to inform their understanding of risk.”