Marriott / Starwood
An intelligence-grade intrusion sat undetected inside Starwood's reservation system for four years, surviving a multi-billion-dollar acquisition by Marriott.
In November 2018, Marriott disclosed that its newly acquired Starwood hotel brand had been the subject of a long-running intrusion. The breach affected roughly five hundred million guest records, including names, addresses, passport numbers, and — for a subset — payment card information.
Inside the reservation system since 2014
The most disquieting detail was the timeline. The intruders had been inside Starwood's reservation environment since 2014 — two years before Marriott acquired Starwood for $13.6 billion in 2016, and another two years until Marriott's own security tooling, deployed across the merged estate, finally generated an alert.
US officials and reporters attributed the operation to Chinese intelligence services, framing it as part of a broader collection effort against US citizens of interest. The targeting profile — long-term collection of hospitality, healthcare, and personnel data rather than monetization — matched a pattern already attributed to the same actors in the OPM, Anthem, and Equifax incidents.
The price of inheriting a breach
The financial consequences for Marriott played out for years. The UK Information Commissioner's Office initially proposed a fine of £99 million under GDPR, reduced on appeal to £18.4 million. Multiple class actions followed. The post-mortem also became a fixture in M&A diligence conversations: the buyer assumes the seller's undisclosed breaches along with the brand.
What the chronicle remembers
Marriott / Starwood is the canonical M&A cybersecurity story. Buyers now routinely scope cybersecurity diligence as a separate workstream, and the deal's number — five hundred million records inherited at acquisition — is the cited example.