In 2016, Marriott International cemented a business deal that made it the largest hotel chain in the world, adding Sheraton, St. Regis, Westin and W Hotels to its list of international properties.
Little did the hospitality company know that among the properties it acquired from Starwood Hotels and Resorts Worldwide was also a compromised database breached by bad actors who were duplicating, encrypting and working to erase personal data of guests.
The intrusion occurred in 2014 and went unnoticed for two years before the acquisition and two years after.
Last week, Marriott became the cautionary tale for the underlying security risks of an acquisition when it disclosed a massive data breach impacting about 500 million guests. Starwood's database contained information "relating to reservations" at Starwood properties, according to the company's breach announcement.
Despite the compromised database wearing Starwood's name, the breach is Marriott's problem. When an acquisition takes place, security continuity isn't always a part of the contract. Now, the cost of Starwood is much more than Marriott initially bargained for.
It started with a purchase
There are so many moving parts of an acquisition that are dynamic and complex, security is sometimes ignored.
"Vetoing an acquisition because of cybersecurity concerns is unlikely," said Jeff Pollard, VP and principal analyst at Forrester, in an interview with CIO Dive.
But merging two IT and security organizations can be a messy. "I don't think there is an ideal process and maybe that's part of the problem," said Pollard.
What typically happens during an acquisition is a cybersecurity audit or assessment as part of due diligence. It's usually contracted out by personnel close to the deal, like brokers.
Companies looking to expand their assets with purchases have to take a more personal look at the intricacies of security. In fairness, "the Marriott people are no slouches when it comes to IT," said Adam Firestone, chief engineering officer at Secure Channels, Inc., in an interview with CIO Dive.
In Marriott's case, it seemed "like a security, merger, operations and business problem rolled into a single issue," said Richard Wite, adjunct professor at the University of Maryland University College, in an email to CIO Dive.
Pollard suggests the acquirer typically heads the unification of security, but it's more of a team effort led by the organization's CIO or CISO. It's likely that one of the companies had a weaker security posture, said White.
An effective CIO reviews the acquired company's practices and procedures while working with leadership from both companies, according to Firestone. From there, leadership can design a plan that can take advantage of each companies' strengths and "close the gaps."
Marriott confirmed the unauthorized access was detected by an internal security tool, which prompted the investigation. It's conceivable that Starwood either didn't have the detection technology or failed to update it, said Pollard.
It was "bad luck for Marriott," said Pollard, but adopting a strategic skepticism could be a saving grace for future acquisitions.
Unifying security strategies after an acquisition
When it comes to the data economy, companies have to understand the data they own and newly acquired data because they're also buying potential liabilities. Combing through a potential purchase's security posture and habits should be as important as any other M&A process.
Security is hard because it's "proving a negative," said Firestone, therefore investments aren't always clear. But "when nothing happens, you're getting a return on investment."
Security strategies can vary from company to company, but during and after an acquisition it's essential the two security organizations centralize their plan, including goals, metrics, protocols and procedures, according to Firestone. "This unification of perspective is a prerequisite for a successful implementation" for the two former IT departments to become a "single, synergistic whole."
"Deterrence by denial" is one security strategy that cannot be done in silos after an acquisition. This strategy requires companies to adopt the mindset that their perimeter has already been intruded and work to reduce an attacker's return on investment.
A cultural shift is required because it changes how security has traditionally been orchestrated, but acquisitions demand the same type of cultural change. Deterrence by denial doesn't eliminate the need for monitoring and active defense, it just elevates security.
But if a company acquires another company that doesn't have a deterrence by denial strategy, "the challenge is to enfranchise the acquisition," said Firestone. But "that's not IT," it's "business savvy."
What happens to Marriott and its guest
The threat of a breach lived in Starwood's database before Marriott's purchase, yet the burden of responsibility falls on Marriott.
However, Starwood might be "obligated to absorb some of the blame since it was a result of [their] systems information that was breached," said White.
As with any other data breach, some of the compromised information can lead to obvious fraudulent activities. But there's "just sort of a creepiness" about the intimate details regarding this attack.
With the information the attackers were able to access, they'll be able to create individual profiles, said Paige Boshell, privacy counsel LLC, in an interview with CIO Dive.
The acquisition didn't just give Marriott Starwood's properties, it gave them access to an elite class of guests. The value of the Starwood brand was its customer base, and now their loyalty to the company hangs in the balance.
Now identities of potentially powerful Starwood members, like government officials or industry executives, and their guest preferences, habits and travel patterns are in the hands of a very sophisticated bad actor.
All this information could be compiled to perform a secondary attack, like a meticulously personalized phishing attack because attackers can "now create persona and sell persona on the open market," according to Firestone.
But the hospitality company's announcement was intentionally broad and "straddle[d] the tension between giving a notice that is really informative and giving prompt notice," said Boshell. But the increase in probe announcements are helping carve out details undisclosed to the public.
As of Friday afternoon, New York Attorney General Barbara Underwood announced an investigation into the breach and whether or not it violated state law by failing to notify the AG at the time of discovery.
The Federal Bureau of Investigation's involvement points to a larger criminal enterprise narrative, which is consistent with public facts, like prolonged length of exposure time and method of disclosure, according to Boshell.
Additionally, because of Marriott's international presence, it falls under the regulations set by GDPR. Penalties as high as 4% of revenue could be placed on the hospitality company if regulators find the company failed to meet compliance mandates.