M&A Cybersecurity: Lessons from the Marriott Breach

By Christian Have, CPO, LogPoint

The new year is a time of reflection and learning from the mistakes of the past. For many organizations, that means re-evaluating their security posture and making improvements—whether they experienced a breach themselves or watched one of the many headline-making breaches unfold in 2018.

One of the most important breaches to learn from is the Marriott breach, which compromised the information of up to 500 million guests, making it one of the largest breaches of consumer data ever. Marriott, one of the world’s largest hotel chains, announced the security incident Nov. 30.

According to Marriott, on Nov. 19, an investigation determined there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before Sept. 10. Based on the sheer volume of compromised data, it was immediately evident that this attack had been underway for some time.—you don’t exfiltrate information on half a billion people overnight.

Marriott was alerted to unauthorized access Sept. 8, but quickly realized it was living a business’s nightmare when it was discovered the unauthorized access could be traced as far back as 2014.
It’s been one bad headline after another ever since.

Based on current reports, it appears the breach did not originate with Marriott, but within the Starwood network—a family of hotels and resorts Marriott acquired in 2016.

Since the breach started in 2014 (before the acquisition), it’s possible that Marriott unknowingly “inherited” the vulnerability as part of the acquisition. In the four years since, hackers have been able to gather information, bypass the in-house security measures and infiltrate the exact information they required. The longer it takes to contain a breach, the more damage is done and the more time it will take to remediate the impact.

Based on my math, this is going to be one costly acquisition for Marriott. The Ponemon Institute’s 2018 “Cost of a Data Breach” study put the average cost of a lost or stolen record at $148 per. With the number of compromised records in this incident, Marriott is potentially looking at a whopping $74 billion price tag—not to mention the significant damage the breach has done to its reputation.

Taking a step back from Marriott, the case highlights the challenges posed in maintaining cybersecurity during mergers and acquisitions (M&A).

Businesses need to consider the security posture of an organization they will acquire or merge with very seriously— if not, it could cost them their business. When looking at the value of M&A, organizations simply must evaluate the prospects history of defending itself in the past. Companies exist that can provide public ratings for how companies are doing from an external perspective.

While a thorough evaluation is ideal and can help mitigate risks, it can be extremely challenging to complete security reviews when other elements of the M&A are underway. This challenge is especially compounded in industries with significant consolidation. In the manufacturing industry, for example, a company can acquire 10 to 30 companies a year. With growth at that pace, it’s a lofty undertaking to maintain security.

Applying proper cybersecurity measures in a combined network is critical to maintaining the security posture of the new organization (which will likely have a more complex network). The following considerations can help to mitigate risks and set organizations up for success:

• Collaborate from a very early stage. The sooner you can join business, technical and security teams from each organization, the better. Constant communication, knowledge-sharing and insight into the activities of each business will avoid any missteps early on and can also improve team-building across both organizations. At the onset of M&A, business leaders should create a security committee comprised of key stakeholders from various departments within each organization. Together, they can map out a plan for assessing both organizations’ cybersecurity efforts throughout the merger/acquisition process.
• Ensure baseline measurements and capabilities are in place. Before networks are connected, both organizations must ensure bare minimum capabilities are in place. This includes basic security hygiene practices, including identifying and safeguarding an organization’s most critical data; establishing network security/monitoring; implementing access controls; developing an incident response plan; and more. Baselining your enterprise is also very important, as it is the only way to determine if something is normal behavior or abnormal activity. Again, before any systems or networks are connected, it is imperative for both organizations to have a baseline understanding of network activity.
• Conduct a cyber-risk assessment. During the transition phase of the joining two companies—when systems and networks are merged—it is critical to perform a thorough cyber-risk assessment to ensure both organizations are aligned on actionable intelligence prior to completion of a transaction. An in-depth cyber-risk assessment evaluates technology, processes and people to uncover potential vulnerabilities.
• Implement centralized log management. Centralized log management should be put in place for all organizations, but especially when bringing together disparate systems, networks and data during M&A. These logs can be generated by many sources, including antivirus software, firewalls and intrusion detection and prevention systems, as well as operating systems on servers, workstations, applications and more. Log management can serve as a hub for all security considerations and enable teams to collaborate more quickly when reviewing potential vulnerabilities.
• Use data analytics to detect threats faster. Data analytics should remain a core element of any security program, but especially when merging two organizations. User and Entity Behavior Analytics (UEBA) in particular can help to quickly determine normal versus abnormal activity on your network. The more data you feed into a UEBA solution, the more quickly and accurately the solution can flag potential vulnerabilities and provide recommendations on the next best action.

The reality for organizations today is that it is no longer a matter of whether you will be breached, but when you will be breached. In fact, this is so widely accepted as fact that more and more organizations are purchasing cybersecurity insurance to help mitigate the costs when breaches do occur (something I’d also recommend looking into prior to M&A).

The more thorough organizations are at the start of M&A, the more likely they are to avoid repeating the mistakes that have created chaos for Marriott. There are many factors and considerations throughout the M&A process, but it takes only one weak link to break a company’s security barrier. The attack on Starwood was likely a standard attack that could (and should) have been detected, if not while an independent organization, then certainly when it joined the Marriott organization.