Anatomy of a Breach

Anatomy of a Breach: Marriott — 500 Million Guest Records and a Breach That Started Four Years Before Discovery

> series: anatomy_of_a_breach —— part: 119 —— target: marriott_starwood —— records: 500,000,000 —— breach_duration: 4_years —— proposed_fine: £99,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 30 November 2018 14 min read
data-breach marriott starwood 500-million m-and-a gdpr-fine passport-data series
Breach #119

500 million guests. Four years undetected. The breach came with the acquisition.

On 30 November 2018, Marriott International disclosed that unauthorised access to the Starwood guest reservation database had been ongoing since 2014 — two years before Marriott acquired Starwood Hotels and Resorts in September 2016. Approximately 500 million guest records were affected, including names, addresses, phone numbers, email addresses, dates of birth, and — for a significant subset — passport numbers and encrypted payment card information. It was the second-largest data breach ever disclosed (after Yahoo's three billion).

The breach had been active for approximately four years before a security tool flagged a suspicious database query on 8 September 2018. For two of those four years, the compromised system belonged to Marriott — meaning Marriott had acquired an actively compromised system and operated it for two years without detecting the intrusion. The ICO proposed a £99 million GDPR fine (later reduced to £18.4 million) — the second-largest GDPR fine proposed, after British Airways.

The M&A Failure
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Marriott bought Starwood. The breach came free.

The Marriott breach is the definitive case study for M&A cyber due diligence. When Marriott acquired Starwood in 2016, it acquired an actively compromised reservation system — and either did not discover this during due diligence or did not remediate it after acquisition. The parallels with TalkTalk's Tiscali legacy systems (2015) and Nortel's decade-long compromise (2012) are direct: acquisitions bring inherited security debt, and that debt must be identified and remediated.

M&A Due Diligence Must Include Cyber
Marriott's failure to identify the active compromise during the Starwood acquisition is the strongest possible argument for mandatory cyber due diligence in M&A transactions. Our <a href="/penetration-testing">penetration testing</a> is regularly commissioned as part of M&A due diligence — assessing the target's security posture before the deal closes.
Passport Numbers Stolen
The Marriott breach was notable for the inclusion of passport numbers — identity documents that cannot be easily changed and that enable identity fraud at international borders. The theft of passport data elevated the breach from a standard credential compromise to a potential national security concern.
Four Years Undetected
The breach persisted from 2014 to 2018 — four years. During that time, 500 million guest records were accessible to the attackers. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that detects database access anomalies — reducing dwell time from years to hours.
£99 Million Proposed → £18.4 Million Final
The ICO's initial £99 million proposed fine was reduced to £18.4 million — reflecting Marriott's cooperation, steps taken to mitigate harm, and COVID-19's impact on the hospitality industry. Even at £18.4 million, the fine demonstrated the ICO's willingness to impose significant GDPR penalties. <a href="/cyber-essentials">Cyber Essentials</a> demonstrates the appropriate measures that reduce regulatory risk.
Lessons

When you acquire a company, you acquire its security posture — including its breaches.

The Marriott breach established that M&A transactions must include comprehensive cyber security due diligence — assessing not just the target's current security posture but whether it is currently under active compromise. For UK organisations involved in acquisitions, our penetration testing provides the assessment that identifies inherited security debt. Cyber Essentials certification of acquisition targets provides evidence of baseline security. SOC in a Box provides the monitoring that detects inherited compromises. And UK Cyber Defence provides the forensic investigation capability when an acquired system is found to be compromised.

M&A Cyber Due Diligence

Marriott bought a breach with its acquisition. What are you buying?

Our <a href="/penetration-testing">penetration testing</a> assesses acquisition targets. <a href="/cyber-essentials">Cyber Essentials</a> certifies baseline security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects inherited compromises.

Commission M&A Due Diligence Next: 2018 Year in Review
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2018

Anatomy of a Breach: 2018 Year in Review — The Year GDPR Arrived and the Fines Got Real

Breach #120 and the 2018 finale. The year GDPR came into force and the ICO immediately signalled its intent — proposing £183 million against British Airways and £99 million against Marriott. Cambridge Analytica proved data could be weaponised for political manipulation. Spectre and Meltdown proved even the silicon was vulnerable. Olympic Destroyer showed nation-states will sabotage sporting events with false flags. Atlanta proved cities are ransomware targets. Magecart swept through e-commerce. And 500 million Marriott guests discovered their data had been exposed for four years. The year enforcement matched the threat.

data-breach year-in-review
14 min read
Anatomy of a Breach 30 September 2016

Anatomy of a Breach: Yahoo — 500 Million Accounts and the Breach That Nearly Killed a $4.8 Billion Acquisition

Breach #093. In September 2016, Yahoo disclosed that at least 500 million user accounts had been compromised in a state-sponsored attack that occurred in late 2014 — two years before the disclosure. The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords, and in some cases, security questions and answers. The disclosure came while Verizon was negotiating a $4.83 billion acquisition of Yahoo — ultimately resulting in a $350 million price reduction. And the worst was yet to come: three months later, Yahoo would disclose an even larger breach.

data-breach yahoo
13 min read
Anatomy of a Breach 31 January 2026

Anatomy of a Breach: Match Group and Eurail — Dating Platform Intimacy and Passport Data Both Exposed

Breach #205. January 2026 opened with two breaches exposing the most personal categories of data. ShinyHunters claimed the theft of over 10 million records from Match Group — the parent company of Tinder, Hinge, and OkCupid — reportedly accessed via social engineering of Okta SSO access and downstream marketing tools. The leaked data allegedly included user IDs, IP addresses, subscription details, and internal corporate data. Separately, Eurail disclosed that attackers had accessed its environment and copied data including names, contact details, travel companion details, and passport information — numbers and expiry dates — for an undisclosed number of customers. Dating preferences and passport data: two categories of personal information that people expect to remain private.

match-group tinder
13 min read
All Posts Get in Touch