The case of the Marriott hack is, at once, an alarming prospect for the chain’s previous guests and an invaluable case study for any organization involved in any kind of merger. At the very least, it serves as a cautionary tale for businesses that ignore their due diligence in respect to cybersecurity during acquisitions.
The issue started in 2014 when hackers were able to expose and bypass the Starwood Hospitality Group’s security system. Starwood operates several popular hotel chains, including Westin, Sheraton, Aloft, and W Hotels. Marriott—the fourth largest hotel chain in the world—acquired the group in 2016, and this past November, they had to break the news that as many as 500 million customers’ data may have been compromised. The chain now estimates that the number of customers impacted is closer to 383 million, but that figure is still more than enough to constitute the largest breach in the history of the travel industry.
It is believed that a significant portion of those affected only had relatively inconsequential information, like names and email addresses, stolen. However, others may be in more trouble as it is believed that certain customers had different combinations of various data, including names, phone numbers, home and email addresses, birthdays, genders, and reservation information stolen. Most alarmingly, hackers were able to access as many as 5.25 million unencrypted passport numbers and data from 354,000 active and unexpired credit cards. The FBI believes that the perpetrators behind the hack were likely working on behalf of the Chinese Ministry of State Security—the Chinese equivalent of the CIA.
There is plenty to learn from this situation, but organizations interested in or actively pursuing acquisitions can take the most away from it. Hackers were in Starwood’s security system for two years both before and after they were acquired by Marriott, but the fundamental flaws and vulnerabilities in their security program still went undiscovered during and after the merger. This whole situation and its consequences perfectly accentuate exactly how crucial a comprehensive and thorough cybersecurity vetting process is to a corporate takeover.