Marriott’s 500 Million Member Mess
When Cyber Due Diligence Goes MIA During M&A
A devastating data breach, shaping up to be one of the largest hacks in history, is sending shockwaves through corporate America. On Friday, November 30th, hotel behemoth Marriott announced that they recently discovered a 2014 breach affecting the Starwood guest reservation system, compromising the personal information of approximately 500 million customers over a four-year period. The majority of the victims had some combination of names, phone numbers, email addresses, passport numbers, dates of birth, and arrival and departure information stolen. Millions more also had their credit card information compromised. Marriott unknowingly got more than they bargained for when they purchased Starwood in 2016. Now, Marriott is forced to pay the price for failing to identify this breach during the deal stages of the acquisition.
The perpetrator of the Marriott hack is still unclear. Attribution in the cyber domain is always difficult. Yet early signs suggest that the Chinese government could be behind the hack. Investigators say they’ve discovered tactics, techniques, and procedures previously used in other Beijing-backed breaches. Starwood is an extremely popular hotel brand, making the company an attractive entity to monitor the travel patterns of prominent executives and government employees.
The Importance of Cyber Risk Due Diligence in M&A
Before finalizing an M&A deal, organizations hire a law firm to vet the company they are looking to acquire. It is imperative for the acquiring company to be sure of the target organization’s liabilities before the deal is finalized. This due diligence should include any potential cyber risk the target business may have. You want to unearth any potential skeletons in the closet before signing on the dotted line.
Think about cyber due diligence the same way you would go about buying a new house. You would never buy a house without first doing a home inspection. You want to make sure the plumbing system is functioning properly and the roof isn’t about to cave in. If the inspector finds any problems, you can ask the homeowners to fix them. Alternatively, you could use this information as leverage to negotiate a lower price on the house. Or, you may ultimately pass on purchasing the house altogether to pursue alternatives.
How to Do Cyber Due Diligence
As any executive that has been through one will attest, mergers and acquisitions are always complicated. It takes a small army to hammer out a seemingly endless number of details. Unfortunately, in the midst of this messy M&A process, cybersecurity matters often get overlooked. This appears to be what happened in the Marriott M&A, where a cybersecurity audit of the Starwood systems failed to exist or follow through in a comprehensive way.
So how can organizations prevent these kinds of oversights? If you manage mergers and acquisitions, or are responsible for conducting due diligence in the midst of a potential merger, here are a few tips to keep in mind as you proceed:
Perform an independent cybersecurity assessment and penetration test
Your organization should already be doing regular penetration tests (ideally once per year) to assess your current capabilities and liabilities. Before an M&A, your business will want to perform similar tests on the devices and networks of the target organization. Don’t take the target company’s previous tests at face value. Always remember the old Russian proverb, “trust, but verify.” Make sure to perform your own cybersecurity investigation to get an independent assessment.
Review third-party relationships
A growing number of organizations are outsourcing critical business functions to third parties. When your business merges with another company, you typically inherit their third-party relationships. Those third-parties expand your company’s attack surface, creating new avenues for threat actors to breach your business. So before agreeing to an M&A, you want to have a strong understanding of how these third-parties handle cyber risk. How much access will they have to your organization and your data? What type of information will be shared between your businesses? These are the kinds of questions your company needs to be asking during due diligence.
Do a “Dark Web” investigation to determine if key assets have already been compromised
Your target organization may have been previously breached — and they aren’t even aware of it yet. If any assets were stolen, there’s a good chance they ended up on the dark web. The dark web is a subsection of the internet inaccessible through standard web browsers. Because it’s intentionally hidden, the dark web serves as an ideal black market for illicit goods and services. Though the dark web may seem mysterious and murky, there are ways to search it for compromised assets that your company may be acquiring in an M&A.
The Consequences of Cyber Negligence
To be fair to Marriott, the Starwood breach was a particularly sophisticated cyber incident. The hack was an advanced persistent threat (APT) — that is, a targeted cyber attack in which an intruder gains access to a network and remains undiscovered for an extended period of time. Detecting APTs, particularly those orchestrated by nation state actors, is always difficult.
Still, it is clear that Marriott could have done more during due diligence to address this threat. Especially with a big M&A deal, companies need to do comprehensive breach or compromise assessments. Organizations need to go beyond the bare minimum. Quickly checking a couple of routine boxes, just to CYA, can no longer cut it.
The Marriott breach is a marquee example of what happens when an organization fails due diligence during an M&A deal. A class action lawsuit has already been filed against the hotel brand. Even more worrisome, lawmakers are lashing out at Marriott. Oregon Senator Ron Wyden says the status quo, empty promises to “do better” from breached businesses, is no longer acceptable. Organizations that mishandle hacks, Wyden says, should face multi-billion dollar fines — or even jail-time for senior executives. And few things frighten business executives more than calls from politicians to “lock them up!”
Whether the threats are coming from customers or congress, the message is increasingly clear: Companies that ignore cyber risks are in for a real reckoning.
Want to Learn More?
Is your organization concerned about the cyber implications of a potential M&A deal? CyberVista is here to help. Whether you’re looking for a deeper dive into the dark web or an executive-focused crash course on cyber risk, our Resolve program can reduce your company’s digital liabilities.