The Marriott/Starwood Data Breach: Why Third-Party Risk Management is Critical During M&A

Editor's Note: This blog is the third in a series examining the causes and effects of high-profile third-party related data breaches over the last decade. Be sure to keep watching the Risk Register blog for future installments in the series!

When Marriott acquired Starwood in 2016, the company inherited a compromised reservation system platform that resulted in lawsuits and reputational damage after the breach was announced in 2018. This blog reviews the Marriott breach background, the methods the attackers used, what happened to the data, the breach’s impact on Marriott, and what lessons third-party practitioners can learn from it.

Data Breach Background

When Marriott acquired Starwood in 2016, unaware that malicious actors had direct access to Starwood’s networks and systems since 2014.The attackers maintained access to Starwood systems until the breach’s discovery and disclosure in 2018. The malicious actors stole guests’ names, addresses, phone numbers, birth dates, email addresses, encrypted credit card details, passport numbers and travel histories.

Methods Used

The malicious actors used a Remote Access Trojan (RAT). A RAT is malware that allows a malicious actor to gain remote access to a target’s computer. The attackers also used an open-source tool called Mimikatz, which searches a device or system’s memory for user credentials. Both tools were leveraged to maintain access to the hacked systems, move laterally within the network, and to escalate privileges on compromised systems.

What Happened to the Data?

Cyber security experts believe that state actors were responsible for the breach. However, as of early 2019, the stolen information had not yet been found for sale on the dark web. The large amount of compromised data would be useful for foreign intelligence agencies, and these agencies have the motivation and resources to both compromise Starwood and analyze the stolen dataset. In March 2019, Marriott CEO Arne Sorenson testified in front of a US Senate subcommittee that Marriott had yet to determine who is responsible for the breach.

How the Breach Affected Marriott

After disclosing the breach, Marriott’s share price dropped more than 5%. More recently, the company’s stock rebounded and they have not faced significant revenue losses. However, in July 2019 the Information Commissioner’s Office (ICO) issued a notice of its intention to fine Marriott International £99,200,396 ($123 million) under the new General Data Protection Regulation (GDPR).

Moreover, multiple class action lawsuits have been filed against Marriott. One of the claims is that Marriott did not perform its due diligence in examining Starwood’s cybersecurity posture during the acquisition process. The lawsuit alleges that, if Marriott had done so, the data breach would have been discovered prior to Marriott’s absorption of Starwood. As of today, the lawsuits are still ongoing.

What Third-Party Risk Management Practitioners Can Learn from the Marriott Breach

There are many lessons that risk management professionals can learn from the Marriott breach. Most importantly, as part of the M&A process, Marriott should have conducted deeper due diligence into Starwood’s internal controls and security policies to ascertain how they enabled third-party access to their systems, and how that could have exposed Starwood. This can be challenging, however, as there is generally limited visibility and a lack of centralized intelligence into the business health of an acquisition target.

Prevalent is unique in that we combine automated vendor assessments with continuous threat monitoring into a single platform for a 360-degree view of vendors. The outcome is the visibility you need to reveal, interpret and alleviate risk.

With increased regulatory activity related to information security, consumer outcry about data breaches, and the growing complexity in the business risk landscape, legal and financial repercussions resulting from third-party breaches will continue to increase. With the right measures in place, third-party risk management practitioners can keep their company’s names out of the headlines.

For more on how Prevalent can help address complex third-party risks, contact us today.