By Madhu Maganti, CPA, CISA – Director of IT Assurance and Security, Doeren Mayhew

Marriott revealed that its Starwood division’s guest reservation database was compromised by an unauthorized party on Fri., Nov. 30, resulting in guest information such as payment details, names, mailing addresses, phone numbers, email addresses and passport numbers being compromised – a major breach which could affect as many as 500 million guests and could have been avoided if the appropriate cybersecurity due diligence was performed prior to their acquisition of Starwood.

Given the international presence of Marriott and the Starwood division, it is also likely that the breach included customer details of European Union (EU) citizens, who fall under the General Data Protection Regulation (GDPR). The resulting fines could be astronomical at up to 4 percent of the global revenues for the hotel chain. Lawsuits have already been filed with two Oregon men asking for $12.5 billion dollars in costs and losses, equating to $25 per user which the two men claim would be the minimum value for the time users will spend canceling credit cards due to the hack. Other class-action lawsuits against Marriott are expected to be filed in the coming months.

What Happened?

What is being less spoken about regarding this hack are all the details surrounding the hack.

Marriott acquired Starwood in 2016. On Sept. 8, 2018, Marriott received an alert from their internal Security Incident & Event Management (SIEM) tool that there had been an attempt to access its Starwood guest reservation database. After consulting with security experts, Marriott learned that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information and took steps towards removing it. On Nov. 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

Lesson Learned

In this case, what could have been done to avoid this massive failure?

Acquisitions are ways for a company to grow and increase market reach but can also open the parent company to financial risks and other risks, which is why it’s imperative for companies to conduct the appropriate due diligence to ensure red flags are identified and resolved before it’s too late. However, a major threat companies are missing when performing due diligence is on cybersecurity risk. Cybersecurity risk is a business risk, not just an IT risk.

During any M&A activity, it would be prudent to conduct an independent and objective cybersecurity risk assessment to assess the cybersecurity risk the buying company will be taking on. Conducting a detailed risk assessment prior to the acquisition of Starwood would have alerted Marriott regarding the potential for unauthorized access and allowed for remediation prior to acquisition. Being blind to such a damaging cyber risk has put Marriott in the position that it is in today.

The independent and objective cybersecurity risk assessment would comprise of reviewing the people, process and technology side of cybersecurity, as well as reviewing the cybersecurity program for compliance with various regulatory requirements in place for the industry as well as type of data being collected. The assessment would also include involving trusted advisors like those in Doeren Mayhew’s IT and Cybersecurity Group to perform a vulnerability assessment of the network, including penetration testing to see how far the vulnerabilities can be exploited. This ensures the buyer understands the cyber risk in the target and does not inherit the cyber risk of the company being acquired or is aware that they need to develop a plan to mitigate it.

For any organization to continue to mitigate cyber risk, consider implementing a robust cybersecurity program, including formal policies and procedures, security awareness training, Incident Response Plan, and tools that would help monitor the security and network operations. Periodically, performing a cybersecurity risk assessment will allow a company to find and remediate any gaps, increase the security posture and allow for the creation of a roadmap that will allow the organization to address security as it grows.

Doeren Mayhew’s dedicated IT Assurance and Cybersecurity Group works closely with management teams to identify risks and implement strategies to help avoid costly situations, such as the Marriott breach. For more information or to speak with an advisor, contact us today.