Article

Marriott Starwood Breach Spotlights Multiple Cyber Security Issues

Topic: Business NetworkingBy Michael PetersPublished Recently added

Legacy signals

Archived popularity: 1,175 legacy viewsImported historical SelfGrowth signal; not blended with current reader activity.

Reader rating

Not enough ratings yet

Aggregate average appears after enough eligible reader ratings.

Rate this resource

Sign in to rate this resource.

Sign in to rate this resource

The Marriott Starwood breach, which exposed the personal data of 500 million guests, was not the largest data breach in terms of size; Yahoo still holds that dubious honor. However, because of the nature of the data stolen, it has the potential for a very long reach and highlights multiple cyber security and data privacy issues. The importance of cyber security due diligence in M&A transactions The target of the Marriott Starwood breach was a reservations system for Starwood Hotel & Resorts, which Marriott acquired for $13 billion in 2016. A few days after the acquisition was announced, Starwood disclosed to Marriott that it had discovered malware on its point-of-sale systems at 26 locations but also indicated that the problem had been resolved. Unfortunately, what no one knew about at the time was that Starwood’s reservations system was the target of an advanced persistent threat that had been going on since 2014—two years before the deal closed. Hackers remained in the system for two more years before Marriott discovered them. This raises serious questions as to whether Marriott exercised cyber due diligence during the acquisition, especially since its own security team was breached in 2017.The dangers of advanced persistent threats The Marriott Starwood breach was an advanced persistent threat, a type of attack where hackers gain access to and remain inside a network undetected for a significant period of time and to achieve a specific goal; in this case, to harvest the personal and travel data of Starwood customers. ATP’s are highly sophisticated attacks that are often launched by nation-states or very large organizations—and at the time of this writing, it is believed that nation-state actors, possibly from China, are responsible. Why would foreign spies want to breach a hotel’s reservations system? The value of hotel customer data to real-world and cyber criminals In addition to personal identifying data and credit card information, hotels aggregate data on travel preferences and patterns, including where a business or leisure traveler goes, who travels with them, and when and where they stay. Hotels may also collect and store passport data, which is the case in the Marriott Starwood breach, car rental information, even information on what meals guests have sent to their rooms, what other hotel amenities they made use of, and the locations they visited while in the area. Starwood properties are primarily luxury hotel brands, including St. Regis and W Hotels, that cater to very affluent business and leisure travelers, and Starwood’s very popular customer loyalty program was one of the reasons why Marriott was so eager to acquire the company. Starwood customers tend to be frequent travelers who stay at Starwood properties whenever possible. The Marriott Starwood hackers are in possession of a treasure trove of information on C-level executives, celebrities, politicians, other high-net-worth travelers, and possibly their families. They have everything they need to profile victims for a variety of cyber and real-world crimes, from social engineering schemes to blackmail to stalking. No wonder Marriott Starwood is now the target of multiple class-action lawsuits, including a $12.5 billion lawsuit filed in Oregon. Marriott Starwood also faces penalties for non-compliance with PCI DSS, various state-level data privacy laws and, because European customers are involved, the GDPR. The poor handling of data breach disclosures by major corporations Many organizations are guilty of handling data breach disclosures very poorly, and Marriott Starwood is no exception. The company sat on the breach for three months before disclosing it, and when they finally did email affected guests, they did so using a domain named “email-marriott.com” instead of their primary domain. In addition to being confusing to recipients, who may have thought the emails were fake, this domain is easily spoofed—so easily that many security experts, alarmed, took it upon themselves to register misspellings lest they fall into the hands of cyber criminals, who seek to capitalize on major breaches. Get ready for a federal data privacy law Even before news of the Marriott Starwood breach broke, consumer anger over data privacy violations and organizational hand-wringing over the logistics of complying with dozens of different state privacy laws was putting pressure on the federal government to pass nationwide data privacy legislation. Marriott Starwood has added fuel to this fire, and organizations should expect action when the new Congress convenes in 2019.

Article author

About the Author

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions. He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.

Further reading

Further Reading

4 total

Article

Introduction There was a time when the call center was seen as a place where phones rang endlessly and agents simply answered questions. That picture has changed dramatically. Today the modern call center sits at the center of customer experience, quietly coordinating returns, managing fulfillment concerns, and shaping how customers feel about every interaction with a brand. Instead of reacting to problems, teams now guide customers through complex journeys. Their role has gr

February 6, 2026

Article

In today’s financial landscape, credit scores play a major role in determining access to loans, housing, and even employment opportunities. For individuals facing late payments, collections, or inaccurate credit reports, rebuilding credit can feel overwhelming. This is why many people turn to professional services for guidance. Among the growing number of Credit Repair Companies in Houston and providers offering Credit Repair San Antonio solutions, White Jacobs continues to

February 6, 2026

Article

Choosing the right POS terminal is more important now than ever. With customer expectations rising and payment methods changing quickly, businesses need a device that works fast, stays secure, and handles different payment types. The PAX A30 is a popular Android POS terminal that has gained attention for its modern design and strong features. In this review, we look at how well it performs in real life, what makes it stand out, and whether it can truly be called the best Andr

January 17, 2026

Article

Installing a rack mount server cabinet is an important task for anyone setting up a server room or a data center. These cabinets are designed to hold servers, networking devices, and other hardware safely and in an organized way. A well-planned installation helps improve airflow, manage cables neatly, and secure equipment, which makes the server room safer and more efficient. Whether you’re setting up a small office server or a larger business data center, knowing how to in

January 16, 2026