After Buying Starwood, Marriott Didn’t Spot Long-Running Breach for 2 More Years
When Marriott acquired Starwood in 2016, including its Westin brand, it also purchased a guest reservation system that had been hacked. (Photo: The Westin New York Grand Central, via Marriott)
Beware cybersecurity during all mergers and acquisitions processes.
For organizations looking to buy another organization, fully vetting what’s being sold – prior to takeover – would seem to be a business no-brainer. Because once a deal closes, you’ll own the organization, IT network warts and all.
“There may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover.”
That’s one major takeaway from an investigation by Britain’s Information Commissioner’s Office into a massive, four-year data breach suffered by hotel giant Marriott (see: Marriott Hit With $24 Million GDPR Privacy Fine Over Breach).
Or rather, the breach began with hotel chain Starwood’s “guest reservation system” in 2014, but went undetected until 2018. Marriott acquired Starwood and its network of hotels – including the Westin, Sheraton, and W brands – in 2016, and thus failed to spot the breach for two more years.
Last week, the ICO hit Marriott with a £18.4 million ($24 million) fine over the breach, in what stands as the second biggest privacy fine to date in U.K. history. The ICO says its investigation found that “Marriott failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage,” in violation of articles 5 and 32 of the EU’s General Data Protection Regulation (see: Marriott and BA’s Reduced Privacy Fines: GDPR Realpolitik).
The case now stands as “a salutary lesson of the need to keep data safe and in particular the need to take care when doing due diligence in acquisitions,” says Jonathan Armstrong, a partner at London-based law firm Cordery.
The ICO’s message: Once you buy it, you own it. “Even if IT vulnerabilities of the target company may not have been properly uncovered during the due diligence process, then upon completion, as acquirer, you will become fully responsible for ensuring cyber resilience of the entire enterprise, including its legacy IT systems and network solutions,” privacy attorneys at London-based Mishcon de Reya write in a blog post analyzing the ICO’s Marriott penalty.
‘Limited Due Diligence’
The ICO’s penalty notice is essential reading for anyone with cybersecurity responsibilities, not least when it comes to M&A activities.
The ICO’s notice states: “During the acquisition process, Marriott states that it was only able to carry out limited due diligence on the Starwood data processing systems and databases.”
But the ICO emphasizes that its penalty only applies to the state of Marriott’s network – including IT systems acquired from Starwood, which it kept separate, pending their integration into its own network – from May 25, 2018, when GDPR went into full effect. “Accordingly, the commissioner has not determined whether or not it was possible for Marriott to conduct due diligence during a takeover. There may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover,” the ICO says.
Excerpt from the ICO’s penalty notice against Marriott, issued on Oct. 30.
Indeed, Steve King, a startup and IT veteran who’s previously worked as a CISO and CTO, and who now – full disclosure – runs Information Security Media Group’s CyberTheory advisory branch, says having weeks or months to conduct due diligence can be luxury.
“Sometimes you’re looking at just days,” says King, who’s been involved in numerous M&A efforts.
Test Acquired Systems ASAP
Luckily for Marriott, incident response expert Matthew Linney notes that the breach could have been worse. “In this instance, it appears that integration of the Starwood resources into the wider Marriott infrastructure was slow, providing the fringe benefit of not exposing even more sensitive data,” says Linney, who’s a senior security consultant for Edinburgh, Scotland-based cybersecurity firm 7 Elements.
But he tells me that Marriott should have fully vetted the newly acquired infrastructure as quickly as possible. “This issue may have been identified and resolved much earlier if adequate testing had been performed, and monitoring – such as employing a robust intrusion prevention/detection solution – had been enabled,” he says.