Marriott Starwood: 500 Million Guest Records Stolen Over Four Undetected Years
What happened
Marriott disclosed that attackers had been present in Starwood's reservation database since 2014 — two years before Marriott acquired Starwood. By the time the breach was discovered in 2018, roughly 500 million guest records had been stolen, including 5 million unencrypted passport numbers.[1]
What went wrong
The breach began in Starwood's systems before the Marriott acquisition and was never detected during due diligence. Attackers had four years of unrestricted access, suggesting inadequate intrusion detection and log monitoring on the Starwood side that was never remediated post-acquisition.[1]
Lesson learned
M&A due diligence must include deep cybersecurity audits of target companies. Acquired systems should be treated as untrusted and isolated until fully assessed. Four years of undetected presence indicates monitoring failures at every layer.
Sources
- [1] Marriott International Marriott Starwood: 500 Million Guest Records Stolen Over Four Undetected Years