Third Party Risk Management - Consultancy, Assessment & Advisory

Marriott’s Data Breach Underscores Importance of Scrutinising Data Security Policies During M&A

Massive data breach also gives rise to calls for stronger data protection legislation

Marriott data breach TPRM third party riskThe ever-increasing line of corporate data breaches grew longer last week, as Marriott International disclosed that it had been the latest victim of a massive cyber-attack.  On Friday, November 30th, 2018, Marriott announced the largest data breach in its history that compromised the personal information of nearly 500 million people. The exposed data included names, dates of birth, phone numbers, credit card information, and passport numbers.

According to Marriott, an unauthorized party had access to the databases of Starwood properties since 2014 . Two years later, Marriott acquired Starwood and its hotel chains including St. Regis, Westin, Sheraton, Alof, Le Meridien, Four Points, and W Hotels. On September 8th, 2018, Marriott’s internal security discovered that hackers had accessed Starwood’s reservation database, encrypted customer data, and were attempting to remove it. Marriot only discovered the magnitude of the breach once they were able to decrypt the information in early November. In response, Marriott is offering free identity protection and credit monitoring for one year to affected customers. Marriott also agreed to pay for passport replacements for any customers who are found to be victims of fraud.

The breach has already affected Marriott’s reputation and bottom line. Immediately after the breach was announced, Marriott’s share price dropped 6 percent (losing nearly $20 million), and federal lawmakers were quick to criticize the company’s security policies. Senator Ron Wyden of Oregon has been one of the most vocal critics, calling Marriott’s solution of credit monitoring for affected customers “useless”, and asserting that “Until companies like Marriott feel the threat of multi-billion dollar fines, and jail-time for their senior executives, these companies won’t take privacy seriously.” Senator Wyden is joined by Senator Ed Markey of Massachusetts in using Marriott’s breach to call for comprehensive legislative action to protect consumers’ privacy and data.

The Marriott data breach exemplifies how mergers and acquisitions can introduce cyber risk to organizations. Forty percent of acquiring companies discover a cyber issue with the target firm after the deal is closed. When evaluating and mitigating third party risk, it is vital to consider how various business activities of one’s vendors can impact the organization.

As a part of our continuous monitoring services, Prevalent and DVV Solutions track these types of business activities and alerts customers to specific risks.

Author: Fatima Mahmood, Prevalent Inc.

This article is shared with he kind permission of Prevalent Inc.