Marriott Data Breach: How Poor M&A Security Led to Four Years of Undetected Access

Learn how a pre-acquisition compromise turned into one of history’s largest data breaches.

Four years. That’s how long attackers remained inside Marriott’s network before anyone noticed. When Marriott acquired Starwood Hotels in 2016, they inherited more than 5,500 properties. They also inherited a network that Chinese state-sponsored hackers had already compromised two years earlier.

There were multiple failures that lead to the breach. No cybersecurity due diligence during the acquisition. No monitoring of privileged accounts. No detection of massive data exfiltration. Attackers spent years copying guest data while Marriott ran the systems without knowing they were compromised.

Marriott discovered the breach only when a newly deployed security tool flagged suspicious database queries in September 2018.

This case study examines what went wrong and the practical lessons for security teams managing acquisitions and protecting customer data.

What Happened in the Marriott Data Breach?

The Marriott data breach exposed personal information belonging to approximately 383 million hotel guests. The cyber attack began in 2014 and wasn’t discovered until 2018, making it one of the longest-running undetected hotel data breaches in history. When attackers hacked Marriott, they gained access to one of the world’s largest guest databases.

The breach actually started at Starwood Hotels and Resorts, not Marriott. The Starwood data breach began when attackers first compromised the network in July 2014. When Marriott acquired Starwood in September 2016, they inherited the compromised infrastructure without realizing attackers were already inside. The Marriott Starwood data breach timeline spans from initial hack to eventual discovery.

Marriott only discovered the breach on September 8, 2018, when an internal security tool flagged a suspicious attempt to access the guest reservation database. Investigation revealed that attackers had been copying and encrypting data for years to evade detection.

By November 2018, Marriott understood the scope. The breach affected guest records from Starwood’s reservation system including names, addresses, and contact details. It also exposed passport numbers, dates of birth, and payment card information. The company publicly disclosed the breach on November 30, 2018.

How Did Attackers Compromise the Starwood Network?

The attackers used stolen credentials and malware to gain and maintain access. Their methods expose exactly where monitoring failed.

What Was the Initial Access Vector?

Attackers gained initial access to the Starwood network in July 2014 using compromised employee credentials. Once inside, they deployed a Remote Access Tool (RAT) that gave them persistent access even if the original credentials were changed.

The RAT allowed attackers to move laterally through the network. They eventually reached the Starwood guest reservation database, which contained records for all Starwood-branded hotels including Westin, Sheraton, St. Regis, and W Hotels.

Compromised credential monitoring can detect when employee credentials appear in stealer logs or breach databases. If you monitor for exposed credentials, you can force password resets before attackers exploit them.

How Did the Acquisition Make Things Worse?

When Marriott acquired Starwood in September 2016, they conducted due diligence on the financial and operational aspects of the business. But they didn’t properly assess Starwood’s security.

Rather than integrate Starwood’s systems into Marriott’s infrastructure, the company allowed Starwood properties to continue operating on existing systems. This meant the compromised network remained active.

Making matters worse, Marriott laid off most of Starwood’s IT and security staff after the acquisition. The people who understood the Starwood network were no longer there to identify anomalies or address security gaps.

The attackers continued operating inside the network for another two years after the acquisition.

Why Did the Breach Go Undetected for Four Years?

Four years without detection shows a fundamental failure in security monitoring. The UK Information Commissioner’s Office investigation identified specific control failures that enabled the extended intrusion.

What Monitoring Was Missing?

The ICO identified four principal security failures at Marriott. First, insufficient monitoring of privileged accounts. Attackers using compromised credentials could access systems without triggering alerts.

Second, insufficient monitoring of databases. The guest reservation database was being queried and copied without detection. Bulk data extraction should generate alerts.

Third, failure to implement server hardening. Systems weren’t configured to minimize the attack surface or detect unauthorized changes.

Fourth, failure to encrypt certain personal data. Some passport numbers were stored unencrypted, meaning attackers could read them directly without needing to crack encryption.

How Was the Breach Finally Discovered?

In September 2018, Accenture deployed a new security tool as part of ongoing security improvements. This tool flagged suspicious database query activity that the existing systems had missed.

The query that triggered the alert was an attempt to access the guest reservation database. Investigation revealed the attacker’s presence and the extent of data already exfiltrated.

Had Marriott deployed adequate data breach monitoring years earlier, they might have detected the intrusion when it began rather than after four years of data theft.

What Data Was Exposed?

The breach exposed multiple categories of sensitive personal information. The scope makes this one of the most significant hospitality industry breaches ever recorded.

Guest Personal Information

The compromised database contained records for approximately 383 million unique guests. Exposed data included names, mailing addresses, and contact information. The breach also revealed dates of birth, gender, and travel patterns like arrival and departure dates.

Passport Numbers

Marriott confirmed that approximately 5.25 million unencrypted passport numbers were accessed. An additional 20.3 million encrypted passport numbers were also exposed, though the encryption provides some protection if attackers couldn’t access the decryption keys.

Passport data is particularly sensitive because it can be used for identity fraud and doesn’t expire like payment cards. Affected guests may need to replace their passports to fully remediate the exposure.

Payment Card Information

The breach exposed payment card numbers and expiration dates for an undisclosed number of guests. Marriott stated that card numbers were encrypted using AES-128, but the investigation couldn’t rule out that attackers had obtained the decryption keys.

Who Was Behind the Attack?

While not officially confirmed by Marriott, U.S. government sources have attributed the attack to state-sponsored hackers associated with China’s Ministry of State Security. The breach is believed to be part of a broader intelligence-gathering campaign targeting travel industry data.

One key indicator of state sponsorship: the stolen data never appeared on dark web marketplaces. Criminal hackers sell data for profit. State actors keep it for intelligence. Travel records reveal patterns of movement for government officials, business executives, and military personnel. That intelligence value far exceeds any sale price.

What Were the Regulatory and Financial Consequences?

Regulators in the UK and US fined Marriott, and the legal fallout lasted for years.

UK ICO Fine

The UK Information Commissioner’s Office initially announced intent to fine Marriott £99 million in July 2019. This was reduced to £18.4 million in October 2020.

The reduction reflected mitigating factors. Marriott cooperated with the investigation, promptly notified affected individuals and regulators, and acted quickly to contain the breach once discovered. The COVID-19 pandemic’s impact on the hospitality industry also influenced the final amount.

The ICO GDPR fine only covered the period after GDPR took effect in May 2018, meaning Marriott was penalized for approximately four months of the four-year breach. Under GDPR, organizations must report breaches within 72 hours and implement appropriate security measures. The Marriott GDPR fine demonstrated regulators’ willingness to enforce these requirements against major corporations.

US State Attorneys General Settlement

In October 2024, Marriott agreed to pay $52 million to 49 states and the District of Columbia to resolve data security allegations related to the breach.

FTC Enforcement

The Federal Trade Commission finalized an order in December 2024 requiring Marriott and Starwood to implement a comprehensive information security program. The order mandates specific security controls and lasts for 20 years.

Required measures include multi-factor authentication, encryption, logging and monitoring that detects anomalies within 24 hours, investigation of suspicious activity within 24 hours, and breach notification to authorities within 10 days.

The FTC action recognized that the breach resulted from “security failures that led to three large data breaches affecting more than 344 million customers worldwide.”

Marriott Class Action Lawsuit and Data Breach Settlement

Beyond regulatory fines, Marriott faced class action lawsuits from affected guests.

In the US, plaintiffs filed a consolidated class action in Maryland federal court. They alleged negligence and breach of contract. The lawsuit questioned whether Marriott should have notified guests sooner.

The $52 million state settlement resolved government claims, but separate class actions addressed individual consumer harm. The legal battles dragged on for years after the initial disclosure.

Business Impact

Marriott’s stock dropped 5% immediately after the breach disclosure. The company incurred approximately $30 million in direct recovery expenses. Industry analysts estimate total impact exceeding $1 billion when accounting for diminished customer loyalty and brand damage.

How Did Marriott Get Breached Again in 2020?

Just over a year after disclosing the 2018 breach, Marriott suffered another hack. The 2020 breach exposed 5.2 million guest records through a different attack vector. Despite improvements after the first attack, Marriott still hadn’t fixed credential security.

What Happened in the Second Breach?

In mid-January 2020, attackers compromised the credentials of two Marriott employees. They used these credentials to access an application that guests use to access hotel services during their stay.

The unauthorized access continued for approximately six weeks before Marriott’s security team detected it in late February 2020. The company disclosed the breach on March 31, 2020.

What Data Was Exposed?

The second breach exposed contact details including names and addresses. It also exposed loyalty account information like Marriott Bonvoy account numbers and points balances. Personal details such as company affiliation and room preferences were also compromised.

Importantly, this breach did not expose payment card information, passport numbers, or driver’s license numbers.

What Did Marriott Learn?

Marriott detected the 2020 breach faster, showing some security improvements. The 2014 breach went undetected for four years. The 2020 breach was caught in six weeks.

However, the breach still succeeded because of compromised employee credentials. The incident originated at a franchise hotel operating under the Marriott brand, highlighting third-party cyber risk challenges.

Multi-factor authentication could have prevented attackers from using stolen credentials. Monitoring for credentials appearing in stealer logs could have enabled password resets before the attack.

What Can Security Teams Learn from Marriott?

The Marriott breach offers critical lessons for any organization managing acquisitions, handling customer data, or seeking to improve breach detection capabilities.

How Should You Handle M&A Cybersecurity?

Marriott’s experience demonstrates why cybersecurity due diligence must be part of any acquisition. Before closing a deal, assess the target company’s security posture.

Conduct thorough network assessments looking for signs of existing compromise. Review security monitoring capabilities. Understand what data the target company holds and how it’s protected.

After acquisition, don’t simply inherit existing infrastructure. Either integrate systems into your security architecture with proper monitoring, or isolate acquired networks until you can verify their security status.

Retain key security personnel who understand the acquired systems. The institutional knowledge they hold can identify anomalies and security gaps that automated tools miss.

Why Is Credential Monitoring Critical?

Both Marriott breaches involved compromised credentials. The 2014 attack used stolen employee credentials for initial access. The 2020 attack used two compromised employee credentials to access guest applications.

Dark web monitoring detects when employee credentials appear in stealer logs and breach databases. When you identify exposed credentials, you can force password resets before attackers use them.

You should continuously monitor for credentials associated with your domains. When credentials appear on criminal marketplaces, act immediately. Don’t wait for attackers to test them against your systems.

What Database Monitoring Should You Implement?

The Starwood breach involved years of database queries and data exfiltration without detection. With proper database monitoring, Marriott would have spotted this activity.

Monitor for unusual query patterns, especially bulk data retrieval. Track which accounts access sensitive databases and alert on anomalies. Log and analyze database activity to identify unauthorized access.

The FTC now requires Marriott to implement monitoring that detects anomalies within 24 hours. This should be the standard for any organization holding sensitive customer data.

How Do You Protect Sensitive Data Like Passport Numbers?

The breach exposed 5.25 million unencrypted passport numbers. If Marriott had encrypted this data at rest, attackers couldn’t have read it even after accessing the database.

Identify the most sensitive data your organization holds. Implement encryption that keeps data protected even if the database is compromised. Manage encryption keys separately from the encrypted data.

Conclusion

Poor acquisition security and weak monitoring let attackers hide in Marriott’s network for years. They compromised Starwood in 2014, Marriott inherited the breach in 2016, and four years passed before anyone noticed.

Key lessons for security teams:

• M&A cybersecurity due diligence is essential: Assess target company networks for existing compromises before acquisition. Don’t inherit infrastructure without verifying its security status.
• Monitor for compromised credentials: Both Marriott breaches involved stolen employee credentials. Dark web monitoring detects exposed credentials before attackers exploit them.
• Implement database monitoring: Bulk data extraction went undetected for years. Monitor database queries and alert on unusual access patterns.
• Encrypt sensitive data at rest: Unencrypted passport numbers were directly accessible to attackers. Encryption provides protection even when databases are compromised.
• Retain security expertise during acquisitions: Laying off IT and security staff eliminated the people who understood the acquired network.

Regulators set a new standard for breach accountability. The FTC’s 20-year order shows what happens when you fail at security.

For more case studies on major breaches and their lessons, see our data breach examples.

Check if your organization’s credentials have been exposed with a dark web scan.