Blog
← Back to Blog
September 25, 2018 cybersecurity

Marriott Lost 500 Million Guest Records. Here's the Lesson Nobody Is Talking About.

Massive data breach visualization Hotel and hospitality industry

Marriott International disclosed that its Starwood guest reservation database was breached, exposing up to 500 million guest records. Names, addresses, phone numbers, email addresses, passport numbers, dates of birth, and in some cases, payment card numbers. It's the second-largest data breach in history, after Yahoo.

The headlines are focusing on the scale. But the most important detail is in the timeline: the breach began in 2014, two years before Marriott acquired Starwood. The attackers were inside Starwood's systems for four years before anyone noticed.

The M&A Security Problem

When Marriott acquired Starwood in 2016 for $13.6 billion, they inherited Starwood's technology infrastructure. That infrastructure came with a four-year-old compromise that nobody knew about.

This is a problem that applies well beyond hotel chains:

Practice Acquisitions

When a dental or medical practice acquires another practice, they often inherit the acquired practice's IT systems, patient databases, and network infrastructure. If the acquired practice had compromised systems, unpatched software, or active malware, the acquiring practice now has those problems too.

The Due Diligence Gap

Traditional M&A due diligence covers financials, legal matters, and operational issues. IT security is often an afterthought. Nobody audits the network for existing compromises. Nobody checks whether backups actually work. Nobody reviews access controls or patch levels.

Integration Risk

When you connect two networks during a practice merger, any compromise in one network can spread to the other. If the acquired practice's server has malware, connecting it to your network puts your systems at risk.

Lessons for Practice Owners

If You're Acquiring a Practice

  1. Include IT in due diligence. Before closing, have your IT provider assess the acquired practice's systems: patch levels, backup status, network architecture, access controls, and active threats.
  2. Don't connect networks immediately. Keep the acquired practice's network isolated until it's been assessed and cleaned up.
  3. Assume compromise. Treat the acquired practice's systems as potentially compromised until proven otherwise. This isn't paranoia. It's the lesson of Marriott.
  4. Plan for system migration. Budget and timeline to migrate the acquired practice to your IT standards, your PMS, your security tools.

If You're Selling a Practice

  1. Clean up your IT. Current systems, patched software, and documented processes increase your practice's value.
  2. Document everything. Network diagrams, software licenses, vendor contracts, admin credentials. The buyer will need all of this.
  3. Disclose known issues. Don't let IT problems become post-sale liabilities.

The 500 Million Guest Takeaway

Marriott bought a $13.6 billion company and got a four-year-old data breach as a bonus. The cost of discovering and remediating that breach, plus regulatory fines, lawsuits, and reputational damage, will be enormous.

A proper IT security assessment during due diligence would have cost a fraction of what this breach will cost. Whether you're acquiring a practice or a multinational hotel chain, the lesson is the same: know what you're buying.