Marriott / Starwood — 500M guest records

What happened

In September 2018, a security tool monitoring Marriott’s Starwood guest-reservation database flagged an unusual query. Internal investigation revealed that an attacker had been resident in the Starwood environment since at least 2014 — two years before Marriott completed its $13.6 billion acquisition of the Starwood Hotels & Resorts group in September 2016. The attackers had remained active throughout the acquisition, continuing to operate inside infrastructure that Marriott had purchased but not yet migrated onto its own systems.

On 30 November 2018 Marriott disclosed the breach publicly. The data exfiltrated covered approximately 500 million guest records from Starwood’s Starwood Preferred Guest (SPG) loyalty programme and reservation system. The dataset included names, mailing addresses, phone numbers, email addresses, dates of birth, gender, arrival and departure information, reservation dates, communication preferences, and — for a subset of approximately 5.25 million records — passport numbers stored in an unencrypted format. Payment card numbers were also present in the dataset, though Marriott noted these were encrypted; whether the encryption keys had also been taken was assessed as possible but not confirmed.

US government officials attributed the intrusion to actors operating on behalf of the Chinese Ministry of State Security. The characterisation was consistent with a pattern observed across several other large personal-data breaches from the same period — OPM (2015), Anthem (2015) and Equifax (2017) — in which the stolen data appeared more useful for intelligence collection and targeting than for financial fraud. A database of half a billion hotel-guest records, including passport numbers and travel patterns, provides a rich source for identifying intelligence officers travelling under cover, tracking the movements of government employees, and cross-referencing human-intelligence targets against travel histories.

The UK Information Commissioner’s Office ultimately fined Marriott £18.4 million in October 2020, reduced from an initial intention to fine of £99.2 million, taking into account Marriott’s cooperation with the investigation and the economic disruption caused by the Covid-19 pandemic.

How it worked

The attackers’ initial entry point into the Starwood environment has not been publicly confirmed at the technical level. What security researchers and post-incident analysis established is that the attackers used a combination of tools associated with Chinese state-sponsored intrusion sets, including components of the PlugX remote access trojan family, Mimikatz for credential harvesting, and custom tools for database enumeration and staging.

Once inside, the attackers established persistence across multiple systems within Starwood’s environment. They used harvested administrative credentials to access the Starwood Reservations System — the database that underpins all booking and loyalty activity across the Starwood brand portfolio. Over the following years they conducted systematic exfiltration of guest records, compressing and encrypting data before moving it out of the environment through covert channels that avoided detection by the monitoring capabilities in place at the time.

The acquisition created a specific and compounding failure. When Marriott completed its purchase of Starwood in September 2016, the security due-diligence process did not identify the existing attacker presence. The Starwood reservation infrastructure was maintained as a separate system running in parallel with Marriott’s own reservation platform while migration planning proceeded. This meant the attacker-controlled environment was not subject to Marriott’s own monitoring and detection tooling, and the attackers were able to continue operating for a further two years inside what was now, legally and financially, Marriott’s infrastructure.

The September 2018 discovery came from a database activity monitoring tool — Guardium, deployed by Marriott’s security team as part of a broader security review — that identified query patterns inconsistent with normal reservation-system behaviour. External forensic investigators were immediately engaged, and the investigation established that the attacker had copied and encrypted a large dataset and was in the process of staging it for exfiltration when the anomaly was flagged.

Timeline

• 2014 — Attackers gain initial access to the Starwood Hotels IT environment. The specific entry vector has not been confirmed publicly. Tools and tradecraft are consistent with Chinese state-sponsored intrusion sets.
• 2014–2016 — Ongoing reconnaissance and data access within Starwood’s reservation systems. Attackers harvest guest records and establish persistent access across multiple systems.
• November 2015 — Marriott International announces its intention to acquire Starwood Hotels & Resorts for approximately $13.6 billion in a deal that will create the world’s largest hotel company.
• September 2016 — Marriott–Starwood acquisition completes. Starwood’s IT infrastructure, including the Starwood Preferred Guest reservation system, is retained in parallel with Marriott’s own systems pending migration. The attacker presence is not identified during due diligence.
• 2016–2018 — Attacker access continues inside Starwood infrastructure now owned by Marriott. Systematic exfiltration of guest records proceeds undetected.
• September 2018 — Marriott’s database activity monitoring tool (Guardium) flags anomalous query behaviour in the Starwood reservation database. External incident-response investigators engaged.
• 8 September 2018 — Internal investigation confirms an attacker has had access since at least 2014 and has exfiltrated a large volume of guest records.
• 30 November 2018 — Marriott publicly discloses the breach and notifies affected guests. The SPG database is taken offline.
• 2019 — UK ICO and US state regulators open formal investigations. US government officials attribute the breach to Chinese Ministry of State Security-linked actors.
• July 2019 — ICO issues intention to fine Marriott £99.2 million under GDPR.
• October 2020 — ICO reduces fine to £18.4 million, citing Marriott’s cooperation and the economic context of the pandemic.

What defenders should learn

The most consequential lesson from the Marriott breach is not technical — it is organisational. An attacker spent four years inside Starwood’s environment. They survived a $13.6 billion acquisition. They continued operating, largely unimpeded, in infrastructure that had changed ownership twice while they were in it. The root cause of that persistence is not a sophisticated intrusion technique; it is a process failure at the moment of acquisition.

Cyber due diligence in mergers and acquisitions is still treated in many organisations as a checkbox — a review of documented policies and a scan of public-facing systems. The Marriott breach illustrates why that approach is insufficient. The relevant question is not “does the target have good security policies?” but “is there already an attacker in there?” Answering that question requires live forensic investigation of the target environment, not a review of its documentation. Threat-hunt exercises against the acquired infrastructure, deployed before transaction close, give acquirers an opportunity to find what the target’s own monitoring missed. Marriott’s experience has made this a standard recommendation in M&A security advisory; the cost of not doing it is now quantified.

The parallel-system problem that extended Marriott’s exposure is equally instructive. When acquired infrastructure runs separately from the acquirer’s own environment — as Starwood’s systems did for two years after the deal closed — it exists in a monitoring gap. The acquirer’s security tooling does not cover it; the acquired company’s tooling is often degraded or unstaffed during transition. The gap between legal ownership and operational integration is the attacker’s window. Closing that window requires either accelerated migration or deliberate deployment of the acquirer’s monitoring stack onto the legacy environment from day one of ownership.

The passport-number storage failure is a separate and simpler point: sensitive data fields that serve no operational retention purpose should not be stored indefinitely. Passport numbers collected at check-in for identity verification do not need to remain in a reservation database indefinitely in plaintext. Data-minimisation disciplines — regular review of what is held, for how long, and whether retention serves any current function — reduce the value of any given database to an attacker who reaches it.

Finally, the intelligence-collection framing of the attribution carries a specific lesson for organisations whose employees or customers are likely targets of foreign intelligence interest. Hotels, healthcare insurers, and financial institutions collectively hold the personal-data infrastructure that foreign intelligence services need to do their work. Those organisations are not incidental targets; they are the target. The defensive implication is that nation-state threat modelling should be a standing consideration for any organisation that holds data on a large population of professionals, travellers, or government employees, not merely for defence contractors and government agencies.