The Marriott/Starwood Data Breach: Early Lessons To Be Learned

On November 30, Marriott International announced that it had learned from an internal investigation in September 2018 that “an unauthorized party” had obtained unauthorized access to the guest reservation database of Starwood Resorts, which Marriott had acquired in 2016.  That unauthorized party apparently obtained information on

up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).

For compliance officers responsible for cybersecurity, the most troublesome fact that Marriott disclosed should not be the magnitude of this breach (though that is certainly breathtaking), but its statement that it “learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”  While Marriott reported that it is supporting law enforcement efforts, “working with leading security experts to improve,” and offering various information resources and support for persons who may be affected by the breach, cybersecurity experts quickly responded that Starwood should have detected the breach years earlier – not least because Starwood had suffered a different, smaller breach in 2015, not long after Marriott had announced the deal to acquire Starwood.

That response has a substantial measure of truth, but does not delve deeply enough.  In fact, even at this early stage of post-breach activity, there are several lessons that other companies can learn from Marriott’s situation.

First, there are at least three periods of time since the 2015 acquisition announcement at which Starwood, Marriott, or both companies should have discovered some indications of the 2014 breach:

• Pre-Acquisition Due Diligence: Knowing that Starwood had suffered the 2015 breach, both Marriott and Starwood had ample opportunity, during the pre-acquisition phase, to review the state of Starwood’s cybersecurity measures and determine whether any significant instances of unauthorized access had taken place. It is no overstatement to say that cybersecurity is a critical component of pre-acquisition due diligence.
• Post-Acquisition Due Diligence and Integration: If not done pre-acquisition, Marriott had ample opportunity, in the course of integrating Starwood and Marriott resources, to do a similar due diligence review and check for existing data breaches or other critical cyber vulnerabilities.
• Post-Integration: Even in the post-integration phase, before Marriott’s and Starwood’s rewards programs merged in August 2018, Marriott had additional time to conduct proactive cybersecurity reviews relating to Starwood’s data resources.

Second, the fact that Marriott apparently first discovered in September 2018 that unauthorized access to the Starwood database had begun in 2014 suggests that there were additional critical gaps in the cybersecurity programs of both companies.  In the September 2018 version of its publication “Best Practices for Victim Response and Reporting of Cyber Incidents,”  the U.S. Department of Justice’s Cybersecurity Unit identified a number of best practices which organizations should adopt before a cyber intrusion or attack occurs.  Two of those are:

• “Identify Your ‘Crown Jewels’.” The “Best Practices” document states that “[b]efore formulating a cyber incident response plan, an organization should first determine which of its data, assets, and services warrants the greatest protection. Prioritizing the protection of an organization’s “crown jewels” and assessing how to manage the risk associated with protecting them are important first steps toward preventing the type of catastrophic harm that can result from a cyber incident.”  The apparent lack of ongoing or periodic internal cybersecurity reviews for breaches, however, is strongly suggestive that Starwood did not recognize or designate its customers’ personal data as “crown jewels,” let alone prioritize their protection.
• “Educate Senior Management about the Threat.” The document also states that “an organization’s senior management, board of trustees, and any other governing body responsible for making resource decisions and setting priorities should be aware of how cyber threats can disrupt an organization, compromise its products, impair customer confidence and relations, and otherwise cause costly damage.”  The failure to discover this breach at any time before September 2018, unfortunately, suggests that between 2015 and 2018, Starwood and Marriott senior management either were not sufficiently educated about the risks of cyber attacks and the need to dedicate appropriate resources to cyber defense, or were informed but disregarded or downplayed the information.

Much remains to be learned about the pre-September 2018 state of Marriott’s and Starwood’s cybersecurity programs.  It is not too soon, however, for companies to use the known facts about this latest breach, and inferences therefrom, as a benchmark for the basic condition of their own cybersecurity programs, and as an opportunity to remind senior management about the potentially catastrophic consequences of failure to maintain robust cyber defenses.