Marriott recently announced that hackers stole information on as many as 500 million guests over a four-year span, obtaining credit card and passport numbers and other personal data. This breach is one of the largest breaches in history.
What We Know
When the Marriott-Starwood merger was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,700 properties across the globe, most in North America.
The affected hotel brands were operated by Starwood prior to the merger in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were affected.
The crisis quickly emerged as one of the biggest data breaches on record. “On a scale of 1 to 10 and up, this is one of those No. 10-size breaches. There have only been a few of them of this scale and scope in the last decade,” said Chris Wysopal, chief technology officer of Veracode, a security company.
By comparison, last year’s Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.
Security analysts have been especially alarmed to learn that the breach began in 2014. While such failures often span months, four years is extreme.
Goal of Hackers
Because the credit card information was likely encrypted, it was unclear what hackers could do with the credit card information. While encrypted, it is possible that hackers also obtained the two components needed to descramble the numbers, the company said.
For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also included might be dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest account information.
It isn’t common for passport numbers to be part of a hack, but it is not unheard of either. In fact, Hong Kong-based airline Cathay Pacific Airways said in October that 9.4 million passengers’ information had been breached, including passport numbers.
Passport numbers are often requested by hotels outside the U.S. because U.S. driver’s licenses are not accepted there as identification. The numbers could be added to full sets of data about a person that bad actors sell on the black market, leading to identity theft.
And while the credit card industry can cancel accounts and issue new cards within days, it is a much more difficult process, often steeped in government bureaucracy, to get a new passport.
“We fell short of what our guests deserve and what we expect of ourselves,” Marriot CEO Arne Sorenson said in a statement. “We are doing everything we can to support our guests and using lessons learned to be better moving forward.”
The breach of personal information could put Marriott in violation of new European privacy laws, as guests included European travelers.
Marriott set up a website and call center for customers who believe they are at risk.
Email notifications for those who may have been affected begin rolling out Friday from a specific email address: email@example.com.
Cybersecurity Due Diligence
As this latest cyber breach demonstrates, cybersecurity should be an integral part of the merger and acquisition (M&A) due diligence process. To be done properly, identifying cyber risks must begin at the earliest practicable time in the potential transaction.
Omitting cybersecurity assessments in M&A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category means ignoring the serious risks that cyber threats pose to all companies, customers and reputations involved.