Roots of Marriott Breach Run Deep

October 17, 2019

By Lena Licata and Patrick Merli

On November 30, 2018, Marriott International announced that it had experienced a major data breach in its guest reservation database for its Starwood brand. The breach impacted 500 million individuals—compromising accounts, credit card information and passport numbers. An initial breach happened in 2014, thought to be perpetrated by Chinese intelligence services who gained access to the system via a phishing campaign. They installed a Remote Access Trojan (RAT) along with MimiKatz (an exploitation framework) to gain control of a privileged administration account. This all happened two years before the merger of Marriott and Starwood. However, it was not detected until September 8, 2018, when a newly installed security tool flagged suspicious activity, which then led to an investigation. How can something like this go unnoticed for so long?

A Confluence of Events

For starters, Starwood reportedly had a poor security culture prior to the merger. Some of those familiar with the situation said that the company did not meet the qualification standards for being PCI-DSS compliant. This compliance is a set of industry security standards designed to ensure that companies that accept, process, store or transmit credit card information maintain a secure environment. Furthermore, security employees found the system difficult to secure, as evidenced by a separate 2015 attack that took eight months to detect. After the merger in 2016, Marriott was not ready to deploy its proprietary reservation system into all of their new locations and, as such, left Starwood’s system in place. At the same time, Marriott laid off most of Starwood’s corporate staff, including those in IT and InfoSec, who were the most knowledgeable about the native system.

The Fallout

While Marriott mitigated a large part of the initial losses from the breach via cyber insurance, the indirect/direct loses of revenue, lawsuits and fines are expected to be significant. The U.K. levied a £99 million (approximately $123 million) fine against Marriott for the violation of privacy rights under GDPR, citing a failure to perform proper due diligence. U.S. lawsuits, also citing due diligence failures, are still pending.


Performing a cyber-risk assessment right before or immediately after a merger is a must in today’s world. No organization can afford to assume that the system they’re acquiring hasn’t been breached or that its network is breach-proof. Risk assessments, penetration testing, vulnerability assessments and compliance standards are all necessary to discover issues within an organization’s IT infrastructure. These techniques can help prevent breaches and, if one does occur, make detection and response as effective as possible. The longer a breach goes undetected, the more damaging it can be, and the more liability exposure to which an organization can be exposed.

Listen to our podcast on The Marriott Cyber Attack – How You Can Protect Your Data

More Videos in This Series

Articles Lessee Considerations Upon Adopting ASC 842
Articles Numbering the Days of the Glass Ceiling in Accounting
Articles Major Changes in Partnership Audit Procedures Contained in 2015 Budget Act
Articles Revenue Recognition (Topic 605) Multiple-Deliverable Revenue Arrangements A consensus of the FASB Emerging Issues Task Force

Revenue Recognition (Topic 605) affects accounting and reporting for all vendors that enter into multiple-deliverable arrangements with their customers. Revenue Recognition (Topic 605) does not affect arrangements for which industry specific allocation and measurement guidance exists, such as software transactions and long term construction contracts.

Articles Revenue Recognition

U.S. companies adhere to FASB Accounting Standards Codification 605 Revenue Recognition. Evolving marketplace and accounting guidance changes make it essential for companies to continually revisit their revenue recognition policies. Criteria must be met for revenue recognition.

Articles Navigating Through The New 403(b) Regulations and Plan Audit Requirements

403b plan audit requirements and regulations such as when a 403b plan audit is required. What happens if the Form 5500 is not filed on time and fiduciary responsibilities inclusing plan governance best practices. Auditors' report modifications and experiences of December 2009 403b plan year end.

Articles Auditee Responsibilities Under OMB Circular A-133 - SEFA

Auditee responsibilities under OMB Circular A-133 SEFA. Nonprofit organizations receiving federal funding have specific responsibilities required under OMB A-133. One of the most important responsibilities required is the preparation of the Schedule of Expenditures of Federal Awards SEFA.

Articles What to Expect in a Plan Audit - Intro

Form 5500 Requirements including Financial Reporting Requirements such as plan audit objectives and what is audited. Preparing for the Annual Audit including what the auditor is expecting of You.

About Lena Licata

Lena Licata is a Director specializing in Process, Risk, and Technology Solutions (PRTS), with more than 10 years of experience that includes public accounting and private industry.

* Required