Marriott hotels not only acquired Starwood Hotels but also acquired an existing data breach resulting in a £18.4 million fine from the ICO.
The cyber security audits for mergers and acquisitions is becoming increasingly more important. Starwood Hotels had been hacked for years before being acquired by Marriott. The responsibility was still with Marriott as they kept operating the Starwood’s website.
An estimated 339 million customers worldwide have been affected by the data breach. An unknown source touched the systems of the Starwood hotels in 2014. However this was not detected until 2018, two years after Starwood was acquired by Marriott.
The personal data of customers accessed, included names, phone numbers, unencrypted passport numbers, email addresses, arrival/departure information, membership number and guests’ VIP status.
The ICO said: “There were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).”
Last year the ICO issued a notice of intent to fine. The initial fine of £99 million was announced last year but has since been reduced. The ICO has put into consideration what Marriott has done to mitigate the effects of the attack and the economic impact of COVID-19 on the business before settling and issuing the fine.
How did Starwood get hacked?
Marriott International, purchased all Starwood hotels in 2016. Creating the largest hotel chain in the world. Due to such a big acquisition, Marriott had not yet migrated Starwood’s reservations databases over to their own networks.
In September 2018, an internal security tool flagged up unauthorised access to a reservations database. The database held confidential information including, names, email addresses and credit card details. This resulted in an internal investigation on the Starwood network where the database was stored.
During the investigation it came to light that Starwoods had their network compromised in 2014, 4 years and undiscovered. Results of the investigation found that the unauthorised party had encrypted data and had taken steps towards removing data off the Starwood system.
ICO’s investigation found that Marriot failed to undertake sufficient due diligence when it bought Starwoods and should have also had more to secure IT systems in place.
Marriott has since put in place many measures to improve security systems.
BBC Cyber Reporter, Joe Tidy said: “The cyber-criminals had been in the systems for years, and were effectively thrown into the merger deal without Marriott having a clue. Herein lies the issue, though – it seems the larger hotel didn’t check what it was buying.”
What could have been done to prevent it?
IT due diligence for mergers and acquisitions should have helped find an issue like this. A combination of cyber security audits, penetration tests and code reviews could have uncovered the hack.
At the time Starwood could have undertaken external pentesting, network penetration testing or red teaming to help find issues and correct them before an attacker could have gained access.
This then could have either been fixed before the acquisition or the price of the deal renegotiated due to the impending costs associated with fines and fixing the issues. Not to mention the damage to reputation.