Marriott Suffers Massive Breach.... Or Did It?
I was sent a message early in the morning, from a friend, informing me of the Marriott breach. I was barely awake at the time and said to myself, et tu Marriott? Then I said to myself, before reading any reports, I bet it was because of the Starwood merger. You know I am a Breach Whisperer! If you didn’t know, a couple of years ago Marriott acquired Starwood brands (Westin, W, Sheraton, etc) and they began the process of merging together all of their systems. Just this year they were able to merge their rewards programs together.
Sure enough, my instinct was right, it was the Starwood Reservatios system that had been compromised for the last 4 years. Marriott has owned the company for 2 years so that means the breach had been going on for 2 years before Marriott came along. However, that it is not an excuse it is Marriott’s breach. The only point I want to draw out is when companies are merged and/or acquired, cyber security issues are also merged and/or acquired. If any of you have ever had to deal with companies that just acquire company after company, blindly connecting M&A networks with their own networks, without one thought to whether the company is already compromised, you have lived that nightmare! Just imagine how many more people that would have been compromised if Marriott had rushed and connected both reservations systems. Holy Cow!
Board of Directors of any company should mandate a compromise assessment be performed before approving a M&A deal. Because in the end, even if it doesn’t happen on your watch, it is still your breach!