Marriott’s Data Breach Underscores the Importance of Scrutinizing Data Security Policies During a Mergers and Acquisition Process

The ever-increasing line of corporate data breaches grew longer last week, as Marriott International disclosed that it had been the latest victim of a massive cyber-attack. On Friday, November 30^th, 2018, Marriott announced the largest data breach in its history that compromised the personal information of nearly 500 million people. The exposed data included names, dates of birth, phone numbers, credit card information, and passport numbers.

According to Marriott, an unauthorized party had access to the databases of Starwood properties since 2014 . Two years later, Marriott acquired Starwood and its hotel chains including St. Regis, Westin, Sheraton, Alof, Le Meridien, Four Points, and W Hotels. On September 8^th, 2018, Marriott’s internal security discovered that hackers had accessed Starwood’s reservation database, encrypted customer data, and were attempting to remove it. Marriot only discovered the magnitude of the breach once they were able to decrypt the information in early November. In response, Marriott is offering free identity protection and credit monitoring for one year to affected customers. Marriott also agreed to pay for passport replacements for any customers who are found to be victims of fraud.

The breach has already affected Marriott’s reputation and bottom line. Immediately after the breach was announced, Marriott’s share price dropped 6 percent (losing nearly $20 million), and federal lawmakers were quick to criticize the company’s security policies. Senator Ron Wyden of Oregon has been one of the most vocal critics, calling Marriott’s solution of credit monitoring for affected customers “useless”, and asserting that “Until companies like Marriott feel the threat of multi-billion dollar fines, and jail-time for their senior executives, these companies won’t take privacy seriously.” Senator Wyden is joined by Senator Ed Markey of Massachusetts in using Marriott’s breach to call for comprehensive legislative action to protect consumers’ privacy and data.

Marriott’s data breach exemplifies how mergers and acquisitions can introduce cyber risk to organizations. Forty percent of acquiring companies discover a cyber issue with the target firm after the deal is closed. When evaluating and mitigating third party risk, it is vital to consider how various business activities of one’s vendors can impact the organization. As a part of our continuous monitoring services, Prevalent tracks these types of business activities and alerts customers to specific risks.

Prevalent offers the full range of tools to reduce third party risk and help industries meet compliance requirements. By combining continuous monitoring, risk assessments, and vendor information sharing, Prevalent customers can identify potential threats before they occur and significantly reduce risks to their data.

To learn more about Prevalent, watch our two-minute video.

Fatima Mahmood is an Open Source Intelligence Analyst intern with Prevalent. She is a recent graduate of the University of Maryland, College Park with dual degrees in Criminal Justice and Arabic Studies.