The UK based regulator, the ICO, has fined the Marriot Hotel for the massive data breach it suffered after it’s purchase of the Starwood Hotel group back in 2015.
The breach affected over 339 million guest (of which it is estimated that 30 million were Europeans) over a prolonged period of time, as the breach was not discovered until November 2018. The hackers successfully gaining access to customer account details through using a Remote Access Trojan along with a password matching tool called MimiKatz.
The overall cost of the data breach to the Marriot Hotel Group is significantly more. Early estimates of the total cost to the company indicated the cost reaching a billion dollars, when totaling insurance costs, investigation, management, remediation and brand damage are accounted for. This estimate may even be eclipsed, as they are facing at least one class action lawsuit which could cost them £1.75bn.
It is not believed that Marriot will challenge the fine, as this also comes in the same year that Marriott has disclosed another significant security breach, that may affect over 5 million guests.
As a case study, the 2018 data breach acts as a stark warning to other organisations. The ICO investigation concluded that “appropriate technical or organisational measures’ were not in place to protect people’s data.
What makes this case so interesting is the weakness that can be caused through company acquisitions and mergers.
There has been no suggestion of foul play by the management of Starwood Hotel group, knowing for example that they had a data breach prior to the sale of the company to Marriott. As a result, the question for companies looking at acquiring companies is obvious. Just how much due diligence is required to fully understand what it is that is being purchased, and how much expertise is required to vet standards and security as part of the onboarding.