The Marriott hack that stole data from 500 million people started four years ago — investors should ask how the company missed it

Key Points
  • In terms of sheer numbers, Marriott's breach stands out at affecting 500 million people.
  • The companies' financials are unlikely to take a substantial hit with cyber insurance coverage in place, but its reputation could pay a price.
  • Investors will be asking: How could their security tools have missed a massive four-year-long hack? Did the company do the right due diligence during its 2016 merger with Starwood?
The Marriott in Hangzhou in China's Zhejiang Province
AFP | Getty Images

The Marriott breach has the sheer numbers and brand star power to make people take notice: 500 million people were affected, including possibly anyone who stayed at ubiquitous Marriott and Starwood properties across the globe. An unknown attacker stole information including emails, names, addresses, passport numbers and possibly payment card information, in a slow-moving attack that lasted four years.

The breach itself isn't terribly unusual except for two critical questions:

  • Why did its security systems fail to detect a breach until four years after it started?
  • Did a huge merger between Marriott and Starwood in 2016 lead either company to lose full sight of its corporate-wide technology and security risk?

Reputation will take a bigger hit than financials

Marriott stock is down about 5 percent in a mixed market on Friday.

But analysts seemed initially unconcerned about the financial impact: "Uncertainty regarding a potential impact to the brand will likely weigh on sentiment for trading today," wrote Wes Golladay of RBC Capital Markets in an analyst statement this morning. However, "Much like other companies that have worked through large data breach issues we expect [Marriott] to do the same," he said.

Marriott has cyber insurance, the company said in an 8-K report filed today. The company said it's looking into how that coverage will kick in to cover this event, but in most cases insurance significantly offsets the costs of these kinds of breaches.

Most details of the breach are still unclear and pending investigation, the company said. The company said it was investigating all aspects of the attack, including how it occurred, whether unencrypted payment data was accessed or why a security tripwire wasn't activated when the thefts began in 2014, among other details.

But customers and investors may have deeper concerns about the time it took to detect the breach and what it means for the companies' existing security investments.

Like most large companies that deal with sensitive financial data, Marriott has a sophisticated cybersecurity program with access to top-line security vendors and tools. Having a single breach, apparently from one origin, slide under the radar for four years is a big deal. Marriott will almost certainly do an internal review to find out which products failed and how.

The event, which the company said affected the Starwood guest reservation database, may also call into question how the company conducted cybersecurity due diligence prior to its merger with the rival chain. The 2016 merger brought the W Hotel, Sheraton and St. Regis brands into the Marriott fold.

Several companies in recent years have suffered major headaches after mergers when the acquired companies fell victim to a breach, including Under Armour (MyFitnessPal) and FedEx (TNT Express).

As more details emerge about the incident at Marriott, the board and investors will ask questions about how security and technology systems were merged following the Starwood deal, how security teams were merged and how they communicated with one another following the deal, as well as information on which security vendors the chain had been contracting with and whether any of those agreements are changing.

Marriott will see modest impact on numbers, says Jefferies analyst
Marriott will see modest impact on numbers, says Jefferies analyst