Euro Security Watch with Mathew J. Schwartz

Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Marriott Breach Takeaway: The M&A Cybersecurity Challenge

After Buying Starwood, Marriott Didn't Spot Long-Running Breach for 2 More Years
Marriott Breach Takeaway: The M&A Cybersecurity Challenge
When Marriott acquired Starwood in 2016, including its Westin brand, it also purchased a guest reservation system that had been hacked. (Photo: The Westin New York Grand Central, via Marriott)

Beware cybersecurity during all mergers and acquisitions processes.

For organizations looking to buy another organization, fully vetting what's being sold - prior to takeover - would seem to be a business no-brainer. Because once a deal closes, you'll own the organization, IT network warts and all.

That's one major takeaway from an investigation by Britain's Information Commissioner's Office into a massive, four-year data breach suffered by hotel giant Marriott (see: Marriott Hit With $24 Million GDPR Privacy Fine Over Breach).

Or rather, the breach began with hotel chain Starwood's "guest reservation system" in 2014, but went undetected until 2018. Marriott acquired Starwood and its network of hotels - including the Westin, Sheraton, and W brands - in 2016, and thus failed to spot the breach for two more years.

Last week, the ICO hit Marriott with a £18.4 million ($24 million) fine over the breach, in what stands as the second biggest privacy fine to date in U.K. history. The ICO says its investigation found that "Marriott failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage," in violation of articles 5 and 32 of the EU's General Data Protection Regulation (see: Marriott and BA's Reduced Privacy Fines: GDPR Realpolitik).

The case now stands as "a salutary lesson of the need to keep data safe and in particular the need to take care when doing due diligence in acquisitions," says Jonathan Armstrong, a partner at London-based law firm Cordery.

The ICO's message: Once you buy it, you own it. "Even if IT vulnerabilities of the target company may not have been properly uncovered during the due diligence process, then upon completion, as acquirer, you will become fully responsible for ensuring cyber resilience of the entire enterprise, including its legacy IT systems and network solutions," privacy attorneys at London-based Mishcon de Reya write in a blog post analyzing the ICO's Marriott penalty.

'Limited Due Diligence'

The ICO's penalty notice is essential reading for anyone with cybersecurity responsibilities, not least when it comes to M&A activities.

The ICO's notice states: "During the acquisition process, Marriott states that it was only able to carry out limited due diligence on the Starwood data processing systems and databases."

But the ICO emphasizes that its penalty only applies to the state of Marriott's network - including IT systems acquired from Starwood, which it kept separate, pending their integration into its own network - from May 25, 2018, when GDPR went into full effect. "Accordingly, the commissioner has not determined whether or not it was possible for Marriott to conduct due diligence during a takeover. There may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover," the ICO says.

For the avoidance of any doubt, the commissioner is not making any finding of infringement in respect of the period between Marriott's acquisition of Starwood and the entry into force of the GDPR on May 25, 2018 Accordingly, the commissioner has not determined whether or not it was possible for Marriott to conduct due diligence during a takeover. There may be circumstances in which in-depth due diligence of a competitor is not possible during a takeover.
Excerpt from the ICO's penalty notice against Marriott, issued on Oct. 30.

Indeed, Steve King, a startup and IT veteran who's previously worked as a CISO and CTO, and who now - full disclosure - runs Information Security Media Group's CyberTheory advisory branch, says having weeks or months to conduct due diligence can be luxury.

"Sometimes you're looking at just days," says King, who's been involved in numerous M&A efforts.

Test Acquired Systems ASAP

Luckily for Marriott, incident response expert Matthew Linney notes that the breach could have been worse. "In this instance, it appears that integration of the Starwood resources into the wider Marriott infrastructure was slow, providing the fringe benefit of not exposing even more sensitive data," says Linney, who's a senior security consultant for Edinburgh, Scotland-based cybersecurity firm 7 Elements.

But he tells me that Marriott should have fully vetted the newly acquired infrastructure as quickly as possible. "This issue may have been identified and resolved much earlier if adequate testing had been performed, and monitoring - such as employing a robust intrusion prevention/detection solution - had been enabled," he says.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing gdpr.inforisktoday.com, you agree to our use of cookies.