Marriott-Starwood: The Lesson in Acquisition Due Diligence and Inherited Vendor Risk

On November 30, 2018, Marriott International disclosed that its Starwood guest reservation database had been compromised, exposing the personal information of up to approximately 500 million guests. The breach was remarkable not only for its scale but for its origin: the unauthorized access began in 2014, two years before Marriott completed its acquisition of Starwood Hotels & Resorts Worldwide in September 2016. Marriott had unknowingly inherited an active, ongoing breach. The incident stands as one of the most important case studies in acquisition due diligence and the concept of inherited third-party risk.

The Breach Timeline

The intrusion into Starwood's guest reservation system began in 2014, when Starwood was still an independent company. The attackers compromised the Starwood network and gained access to the reservation database, which contained guest records going back years. When Marriott acquired Starwood in September 2016 for approximately $13.6 billion, the breach came with it — undetected.

It was not until September 8, 2018, that an internal security tool flagged an anomalous database query against the Starwood guest reservation database. Marriott's investigation, conducted with the assistance of third-party forensic experts, determined that the database had been copied and encrypted by the attackers and that unauthorized access had been ongoing since 2014.

What Was Compromised

The exposed data included a combination of contact information, passport numbers, Starwood Preferred Guest (SPG) account details, dates of birth, travel history, and payment card data. For approximately 327 million guests, the compromised records included some combination of name, mailing address, phone number, email address, passport number, SPG account information, date of birth, gender, and arrival and departure information. The exposure of unencrypted passport numbers was particularly concerning, as passport data can be used for identity theft and travel document fraud.

The Acquisition Due Diligence Failure

The central lesson of the Marriott-Starwood breach is about inherited risk. When one company acquires another, it acquires not just the target's assets, revenue, and brand — it acquires its cybersecurity posture, its technical debt, its vulnerabilities, and any active compromises.

Marriott's pre-acquisition due diligence focused primarily on financial, legal, and operational considerations. While some cybersecurity review was conducted, it was not thorough enough to detect an active, ongoing breach within Starwood's reservation infrastructure. The Starwood network continued to operate on its legacy systems after the acquisition, and full integration of security monitoring did not occur before the breach was discovered.

Regulatory Consequences

The breach drew significant regulatory attention, particularly in the United Kingdom. The UK Information Commissioner's Office (ICO) initially issued a notice of intent to fine Marriott £99,200,396 under the General Data Protection Regulation (GDPR) in July 2019. After considering Marriott's representations, the positive steps Marriott took after discovery, and the economic impact of COVID-19, the ICO issued a final penalty of £18.4 million in October 2020.

In its penalty notice, the ICO specifically noted that Marriott "failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems." This regulatory finding established an important precedent: acquiring companies can be held liable for the security failures of the entities they purchase, even for breaches that began before the acquisition.

In the United States, Marriott testified before Congress about the breach and faced multiple class action lawsuits. The incident prompted broader industry discussions about the need for cybersecurity due diligence standards in corporate acquisitions.

Implications for Third-Party Risk Management

The Marriott-Starwood case expanded the definition of "third-party risk" beyond traditional vendor relationships to encompass corporate acquisitions, mergers, and partnerships. For TPRM professionals, the key takeaways include:

• Pre-acquisition threat hunting: Active compromise assessments should be standard in M&A due diligence, not just policy reviews and questionnaire-based assessments.
• Integration timelines matter: Legacy systems from acquired entities must be brought under the parent company's security monitoring as quickly as possible. Delayed integration extends the window of undetected risk.
• Inherited vendor relationships: When acquiring a company, you also inherit all of its vendor relationships and the associated risk. Each of those vendors must be assessed under the acquiring company's TPRM framework.
• Regulatory liability transfers: Under GDPR and similar regulations, the acquiring company assumes data protection responsibilities for the acquired entity's data, including liability for pre-existing breaches.

For organizations using FAIR-based risk quantification, M&A scenarios represent a unique modeling challenge: the loss event frequency and loss magnitude must account for the unknown security posture of the target company, including the possibility of active, undetected compromises. This uncertainty makes thorough pre-acquisition assessments not just prudent, but financially essential.