Risk and Reward: Unraveling the Marriott-Starwood Cybersecurity Breach

mariot image

 

Some of the largest breaches in history have occurred during the merger or acquisition of major companies. In fact the dubious holder of the #1 spot on the list of worst breaches by number of records stolen is Yahoo (at 3bn accounts), during its acquisition by Verizon (more on that in another post).

Holder of the #7 spot on that list is Marriott/Starwood Hotels for the ~500m records stolen in a breach that spanned over 4 years, during which time Marriott acquired Starwood (in whose systems the attack was ongoing), and thus became responsible for the fall out of the attack. The fall out included dramatic drop in shareprice, tens of millions of dollars in internal costs to investigate and recover, significant fines from privacy regulators, and multiple class actions that are still ongoing.

In this post we’ll set out the timeline of the breach, and some of the things that could have been done to detect the breach during the acquisition process and to manage the consequences of a breach not discovered until after the deal was closed.

 

Background:

Sometime in 2014, threat actors used a remote access trojan (RAT) to infiltrate the Starwood guest reservation system. Starwood’s system reportedly had a number of vulnerabilities that enabled the RAT to be deployed successfully and to remain undetected. Once in, there they stayed, observing and occasionally taking out large dumps of data until discovered 4 years later in 2018.

in 2015 Starwood discovered a ‘minor’ breach that impacted 54 US hotels, and took some steps to safeguard its systems but failed to undertake in depth threat hunting or to discover the larger, ongoing breach.

In the meantime, in 2016, Marriott Hotels sought to acquire Starwood Hotels. The acquisition would make Mariott the largest hotel group in the world. The final sale price was USD$13.3bn.

Like most due diligence processes, Marriott and its advisors primarily focused on evaluating financial metrics, real estate assets, and operational capabilities. iIven the deal size, meticulous attention was given to Starwood’s revenue streams, debt structures, property valuations, and brand equity. Traditional reviews of regulatory compliance and legal contractual analysis were also conducted.

Although the specifics of the timeline are not publicly disclosed, due diligence in acquisitions of such magnitude usually span several months and involves teams of lawyers, financial analysts, and consultants. However, despite this extensive process, one critical aspect was inadequately addressed: cybersecurity. The risk assessment did not delve deeply into the vulnerabilities and threats associated with Starwood’s IT infrastructure, a shortfall that would take until 2018 to manifest, but which was arguably detectable at the time the deal closed.

Once finalised, Starwood, with its compromised IT system, harbouring a sophisticated threat actor who had been exfiltrating files for years, was now Marriott’s responsibility.

Post-acquisition, Marriott took steps to integrate Starwood’s IT systems with its own, focusing on streamlining operations and leveraging synergies. The aim was to make Starwood’s reservation system interoperable with Marriott’s own systems and to align two brands’ customer loyalty programs.

While they were engaged in these operational efficiencies, Marriott did not take adequate steps to ensure the cybersecurity integrity of the newly acquired Starwood systems. There was no comprehensive cybersecurity audit or any immediate update of Starwood’s cybersecurity defenses. Continuous monitoring protocols, which could have identified suspicious activity, were not put in place and the threat actors continued to extract large packages of data at several points after acquisition.

Finally, on the 8th of September 2018, an internal security tool flagged a suspicious attempt to access the internal guest database. Investigations followed, and the full scale and severity of the breach started to emerge.

 

The breach and its impact:

Marriott called in third-party investigators including law enforcement agencies to support an in-depth incident response investigation.

The investigation revealed Mimikatz, a penetration tool, in the system. Mimikatz is an extensively signatured tool, used widely by the hacking community.  This was used by the attackers to search device memory for usernames and passwords.  Any decent threat hunt or intrusion detection system should have revealed Mimikatz residing on Starwood’s systems had it been in place or had a threat hunt / compromise assessment been conducted.

In November 2018, the investigation revealed attackers had accessed over 500 million guest records, and exposed a wide range of sensitive data, including names, mailing addresses, phone numbers, passport numbers, and, in some cases, encrypted credit card information. The findings also pointed to several security lapses, including outdated security protocols and inadequate monitoring systems.

The investigation culminated in the uncomfortable realization that Marriott had inherited a cybersecurity ticking time bomb through its acquisition of Starwood, and that inadequate due diligence and post-acquisition measures contributed to the failure to detect the breach earlier.

Finally, on November 30, 2018, that Marriott publicly announced the breach, almost 3 months after it was first detected.

 

Financial Implications:

The financial fallout for Marriott from the cybersecurity breach was substantial and multi-faceted. Shortly after the breach announcement, Marriott’s share price dropped by almost 5%, resulting in a loss of several billion dollars in market capitalization.

The internal investigation and remediation activities, including the engagement of cybersecurity experts and upgrading of security systems, cost around $30m, including providing millions of dollars of identity monitoring services to impacted customers.

Marriott faces over 150 class-action lawsuits from affected customers and shareholders, which led to significant legal expenses and potential settlement costs. These cases are still making their way through the courts and the full impact of any damages awarded is yet to be known.

Regulatory bodies also took action; the UK’s Information Commissioner’s Office (ICO) initially proposed a fine of roughly USD$124 million under the General Data Protection Regulation (GDPR) for failing to protect customer data. Whilst the fine actually imposed was reduced to USD$18.4m, the findings from the ICO were scathing, and specifically commented on the lack of due diligence during the acquisition, and the lack of care regarding security maturity of the systems being integrated post merger.

The lost ‘customer loyalty’ due to the breach is estimated at over USD$1bn.

 

Missed Opportunities and Failed Activities During the Acquisition

The cumulative total of these costs cannot have failed to take the shine off the acquisition for Marriott’s shareholders, Board and executive, and made a significant dent in the value proposition of the $13bn deal.

So unimpressed were the shareholders in fact, that they are amongst those bringing class actions against the company and the Board for failure to protect the company against the breach.

There are numerous things that Marriott could have done to detect the breach, and even if un-detected, to protect itself against the consequences of an undiscovered breach in its target’s systems.

 

Due Diligence

During an M&A process, due diligence serves as a critical framework for assessing the risks and assets of the target company. With the prevalence of cybersecurity attacks, the cost of an attack, and the impact on a brand and customer loyalty (some of the key attractants to Starwood) that a cyber breach can bring, detailed and careful cybersecurity due diligence should have been a key part of the assessment of Starwood’s risks and assets.

Marriott fell short in evaluating the cybersecurity posture of Starwood thoroughly, if at all. A comprehensive cybersecurity assessment, including penetration testing and audits, would have, at a minimum detected the lack of maturity and existing vulnerabilities in Starwood’s systems, even if it failed to detect a sophisticated threat actor and existing breach.

When Starwood disclosed its 2015 breach, it should have been a red flag to Marriott that the Starwood system had vulnerabilities and warranted a deeper investigation. However, Marriott proceeded with the acquisition without revisiting its cybersecurity risk assessment for Starwood, and without putting in place a cybersecurity uplift or detailed review as part of any post-merger integration activities.

 

Contractual protections

Marriott had several legal avenues they could have explored to mitigate the risks of undetected cyber vulnerabilities in Starwood’s systems. One of the most effective approaches would be the inclusion of robust representations and warranties in the acquisition contract around undiscovered cybersecurity risks.

This could have included warranties from the seller as to the absence of known breaches, and to that the Starwood systems met certain cybersecurity standards.

The contract could also have included indemnification clauses that would hold Starwood financially responsible for costs arising from pre-acquisition cyber incidents.

Earn-outs or escrow arrangements are also viable options; these involve withholding a portion of the purchase price to be released only after the successful completion of comprehensive cybersecurity audits post-acquisition.

Lastly, the agreement could have mandated immediate and ongoing cybersecurity assessments and audits, to be conducted by a third-party, as a condition precedent or subsequent to the closing of the deal.

 

Post-merger activities

Even after the acquisition was complete, Marriott did not initiate immediate, continuous monitoring of Starwood’s IT systems, which should have been a basic control for systems holding large amounts of personal data. Continuous monitoring could have flagged suspicious activities much earlier (such as the multiple exfiltration of data packages after the acquisition), possibly mitigating the extent of the breach.

All these financial burdens combined to create a staggering cost for Marriott, much of which could have been avoided with more diligent cybersecurity practices during the acquisition process.

 

If they had their time again:

Whilst in all acquisition processes, there are time and cost pressures, cybersecurity must now be considered an essential component of the risk and value assessment of any target.

Basic due diligence cybersecurity exercises can reveal information that can be considered in valuing a company, and good legal advice will now guard the acquirer against unknown cybersecurity breaches in the target.

If Marriott had done a full investigation of Starwood’s system prior to the acquisition, the malware in their system would have been found. This would have given Marriott the opportunity to back out of the deal or request Starwood to deal with the breach prior to the acquisition to go ahead.

Whilst not yet a common part of M&A, cybersecurity must become the ‘norm’ for savvy companies whishing to make the most out of their acquisition, and avoid the multitude of consequences if they don’t.

Skills

Posted on

2023-10-07