Marriott International issued a press release on Friday morning (Marriott press release, November 30) confirming a security incident affecting the Starwood guest reservation database. The affected population is approximately 500 million guests. For approximately 327 million of them, the data taken includes names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation date, and communication preferences. For some subset of those, payment-card information is also in scope, although Marriott states it was encrypted with strong AES-128 and the encryption keys are stated to not have been confirmed taken. The unauthorised access to the Starwood network is reported to date back to 2014.
Marriott acquired Starwood in September 2016 for approximately $13.6 billion. The acquisition included, by the customary integration plan, the migration of Starwood guest data and reservations infrastructure into Marriott's systems over a multi-year period. The disclosure indicates that the unauthorised access into the Starwood network predated the acquisition by approximately two years and persisted, undetected, through the acquisition and through the integration period. Marriott discovered the unauthorised access in September 2018 — three months ago — and has been investigating since.
The acquisition-due-diligence question is the structural lesson. Starwood's pre-acquisition security posture was, on the public reporting that has emerged in the past 24 hours, less mature than Marriott's own (Reuters investigative reporting on Starwood security history — to be linked when the longer-form pieces land in coming weeks). The acquisition due diligence in 2016 included security review, but the persistent unauthorised access was not detected by that review. The post-acquisition integration treated the Starwood network as a known-good environment to be merged with the Marriott environment, rather than as an unknown-state environment to be re-baselined. The structural decision — to absorb the Starwood network without first establishing that it was free of unauthorised access — was a significant one, and the consequences are now being paid.
For the M&A-side customer conversations in the portfolio, the Marriott case is the worked example. The manufacturer in our portfolio has acquired several smaller manufacturing entities in the past three years and has another acquisition in late-stage negotiation. The customer briefings this week have included the Marriott case as the worked example of why the post-acquisition integration step needs to include a security baseline reset, not just a configuration audit. The cost of doing the baseline reset (segmentation of the acquired environment for an extended period, comprehensive endpoint replacement or rebuild, network re-baseline, credential rotation across the acquired organisation) is substantial and has historically been treated as out-of-scope for typical acquisition timelines. The Marriott case demonstrates that the cost of not doing it can, in expected-value terms, be substantially larger than the cost of doing it. The acquisition-integration playbook for the manufacturer's pending deal is being revised this week.
The GDPR exposure is substantial. The 327-million high-detail population includes EU residents in numbers that are likely in the tens of millions. The 2014 start of the unauthorised access window predates GDPR enforcement, but the discovery and disclosure are within the GDPR period and the obligation is current. The Information Commissioner's Office has stated that it is making enquiries; the Irish DPC is also engaged because Marriott's European headquarters are in Ireland. The eventual fine, if one is issued, will be substantially larger than the British Airways and Facebook cases will produce, on the basis of the affected population scale and the duration of undetected access. The customer briefings around the Marriott case have included a useful conversation about how the regulatory exposure interacts with the commercial liability — the class actions in the US and the UK are already filed within 24 hours of the disclosure, the consumer-trust impact on the Marriott brand will be measurable, and the operational cost of remediation and communication will be substantial in its own right. The aggregate financial consequence of the breach for Marriott will be in the multi-hundred-million-dollar range and possibly more.
The technical-attribution conversation is converging, in early form, on a Chinese-state actor cluster. The reporting from Reuters yesterday and the analysis from several research firms cites overlapping technical indicators with previous Chinese-attributed activity. The targeting hypothesis is that the Starwood guest data — which includes detailed travel pattern data on a substantial population including many US government officials, military personnel, and business executives — is intelligence-relevant to a state actor with a sustained interest in counterintelligence and economic-intelligence collection. The attribution will firm up over the coming months; the operational lessons do not depend on the attribution.
For the wider supply-chain conversation in 2018 — NotPetya / M.E.Doc, ROCA, the various supply-chain-script Magecart cases, the Cisco Smart Install issues earlier this year, the various third-party-software issues that have surfaced — Marriott adds a new category. The acquisition itself is, in a structural sense, a supply-chain event: an organisation absorbs another organisation's infrastructure and trust posture without (in this case) verifying it. The defensive disciplines around acquisition integration belong in the supply-chain-security framework that we have been building out across customer programmes through 2018. The next year's programme work will include this dimension explicitly.
I will return to this as the investigation produces more public detail.