Marriott Data Breach

Marriott Breach Summary

Incident Overview:
In November 2018, Marriott International disclosed a massive data breach affecting its Starwood division, which included brands like Sheraton, Westin, and W Hotels. The breach was detected after an internal security tool flagged an unauthorized access attempt to the Starwood guest reservation database on September 8, 2018. The incident, which began in 2014, exposed personal information of up to 500 million customers, with some records being duplicates. The data compromised included names, addresses, phone numbers, email addresses, passport numbers, and for some, payment card details.

Read the Court’s opinion for the case here.

Technical Root Cause:

• Security Culture and Practices: Before its acquisition by Marriott in 2016, Starwood’s security culture was not robust. The Wall Street Journal reported that Starwood employees found the reservation system difficult to secure, and there was another undetected breach in 2015. The breach was facilitated by outdated security practices, including the use of Remote Desktop Protocol (RDP) ports without proper safeguards, which could have been exploited by attackers to deploy harmful software like Remote Access Trojans (RATs).
• Encryption Issues: Notably, about 5.25 million unencrypted passport numbers were stolen, highlighting a significant security oversight in not encrypting such sensitive information.

Resolution:

• Immediate Actions: Marriott reported the breach to law enforcement and engaged forensic specialists for investigation. They also set up resources like a dedicated website and call center for affected guests and offered a year of free credit monitoring.
• Security Enhancements: Post-breach, Marriott has implemented more stringent security measures, including better encryption practices and network segmentation to prevent similar incidents.

Court Cases and Legal Actions:

• Class Action Lawsuits: Numerous class action lawsuits were filed against Marriott, with claims focusing on the company’s failure to perform adequate due diligence on Starwood’s cybersecurity before the acquisition. Accenture, which managed much of Starwood’s IT, was also named in some lawsuits. These lawsuits sought damages for the loss of personal information’s value and overpayment for hotel stays due to inadequate security.
• Regulatory Actions: The UK’s Information Commissioner’s Office (ICO) initially proposed a fine of £99.2 million, later reduced to £18.4 million, for Marriott’s breach of GDPR standards. In the US, Marriott settled with 50 states for $52 million for violating various state consumer protection laws and agreed to enhance security practices.
• Class Certification: The U.S. District Court for the District of Maryland certified classes in the Marriott data breach litigation, allowing for collective legal action. However, there were appeals and subsequent rulings regarding class action waivers in loyalty program terms, which were eventually found to have been waived by Marriott’s actions, allowing the class actions to proceed.

Outcome and Lessons:

• Financial Impact: Marriott faced significant recovery expenses, legal fees, and reputational damage, with an estimated revenue loss of over $1 billion due to customer distrust.
• Cybersecurity Lessons: The incident underscored the need for rigorous cybersecurity during mergers and acquisitions, the importance of encrypting sensitive data, and the necessity of continuous monitoring and updating security measures to detect and respond to breaches swiftly.

This breach serves as a critical case study for enterprises, highlighting how cultural, technical, and procedural lapses can lead to one of the most significant data breaches in history.