The Marriott/Starwood breach is one of the largest data breaches in history and a landmark case study in the risks of inheriting a compromised IT environment through corporate acquisition. Attackers first penetrated Starwood Hotels & Resorts Worldwide’s network on or around July 29, 2014, approximately two years before Marriott completed its $13.6 billion acquisition of Starwood in September 2016. The breach went entirely undetected for over four years.

Initial access was gained by planting a web shell on a server tied to Starwood’s Accolade application — an internal tool allowing employees to request changes to website content. Using the web shell as a foothold, the attackers installed a Remote Access Trojan (RAT) to maintain persistent access to Starwood’s network. They subsequently deployed Mimikatz, an open-source credential-harvesting tool, to scrape usernames and passwords from system memory, enabling privilege escalation and lateral movement across Starwood’s infrastructure. Memory-scraping malware was also deployed to harvest payment card data. Starwood’s systems reportedly had multiple weaknesses: outdated server software, insufficient monitoring of privileged accounts, insufficient database activity monitoring, and inadequate server hardening. Critically, some passport numbers and other sensitive data were not encrypted, and where AES-128 encryption was used for payment card data, the encryption keys were stored on the same servers — accessible to the attackers.

The breach was discovered on September 8, 2018, by an internal security tool. Marriott disclosed it publicly on November 30, 2018. Initially estimated to affect up to 500 million guests, the revised figure settled at approximately 339 million guest records globally, including 5.25 million unencrypted passport numbers, 20.3 million encrypted passport numbers, and 8.6 million encrypted payment card numbers (some of which had expired). The data exposed included names, addresses, phone numbers, email addresses, dates of birth, gender, loyalty program information, reservation details, and communication preferences drawn from the Starwood Preferred Guest (SPG) loyalty program database.

Attribution pointed to Chinese state-sponsored hackers. Reporting in the New York Times and Washington Post in December 2018 cited U.S. government sources linking the attack to Chinese intelligence services, with techniques and infrastructure consistent with Chinese state-nexus threat actors. The operation was assessed to have intelligence-collection objectives — particularly the harvesting of U.S. government and military personnel travel records from the SPG database.

Regulatory consequences were significant. The UK Information Commissioner’s Office (ICO) initially proposed a £99.2 million GDPR fine in July 2019. In October 2020, the final fine was reduced to £18.4 million — partly due to mitigating factors including Marriott’s cooperation with the investigation, and partly due to the economic impact of the COVID-19 pandemic on the hospitality industry. In the United States, Marriott agreed to a $52 million settlement with a coalition of state attorneys general in 2024. The ICO cited four principal failures: insufficient monitoring of privileged accounts, insufficient database monitoring, failure to implement server hardening, and failure to encrypt certain personal data.

The case became a seminal example of M&A cybersecurity risk: Marriott acquired Starwood without conducting adequate due diligence on the security posture of its target’s systems, inheriting an attacker who had been present for two years prior to the acquisition closing.