Assessing the Marriott Data Breach—and Its Botched Response

All posts

It was one of the biggest data breaches of all time.

In late November 2018, hospitality giant Marriott revealed that a massive hack led to the theft of personal data belonging to an incredible 383 million customers.

But while the sheer magnitude of the breach is what made headlines, the response is equally as shocking. By failing to learn from the lessons of other famous megabreaches—namely the one that hit Equifax just a year earlier—Marriott’s information security team made an already bad situation much worse.

What happened?

In a press release, the company said it was first alerted on September 8 that an unauthorized party had attempted to access the guest reservation database belonging to its Starwood properties, which comprises hotel chains including the W and Four Points by Sheraton. An investigation revealed “unauthorized access to the Starwood network” dating back to 2014, and that approximately 500 million guests’ personal information had been compromised. That figure was revised downward to 383 million in January 2019.

In what may have been the result of a Chinese intelligence-gathering effort, Marriott’s Computer Incident Response Team (CIRT) was compromised thanks to a mistake by a contracted cybersecurity vendor called SecureWorks, which was supposed to be protecting the hotel giant. The episode throws into stark relief—yet again—the risks companies inherit when they work with third parties.

For roughly 327 million guests, the data breach revealed “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences,” according to the company’s statement.

In January 2019, the company confirmed that more than five million unencrypted passport numbers were stolen, on top of the more than 20 million encrypted passport numbers.

Other guests’ credit card numbers and expiration dates also may have been accessed. While the announcement noted that the credit card numbers were encrypted, it’s possible that associated encryption keys were compromised as well.

How did Marriott botch the response?

Put simply, it didn’t learn from the Equifax breach.

In its initial breach notification email, Marriott directed recipients to a website it set up to address the situation, communicate its response plan, and answer some frequently-asked questions. This seems like a sound strategy in theory, but it’s nearly identical to the one Equifax adopted, earning heavy criticism.

Here’s why: the email address used to send Marriott’s breach notification (, while legitimate, does not appear to be trustworthy. The domain itself doesn’t load or have an identifying HTTPS certificate, and it doesn’t even belong to Marriott—it’s owned by a third party on behalf of the hotel.

In fact, there’s no easy way to check that the domain is real, aside from a buried note on Marriott’s data breach notification site that confirms the domain as legitimate. Making matters worse, the email is easily spoofable (at a quick glance, it’s hard to discern from, say, or some other slight spelling variation).

In the wake of major, headline-grabbing megabreaches, scammers will capitalize on the news cycle by tricking users into turning over private information with their own stream of fake messages and websites.

It’s more common than you might think. During the Equifax breach response, fake sites were created shortly after Equifax published its own initial response website (, duplicating the original but altering the domain name slightly. In fact, Equifax’s own employees wound up confused and mistakenly directed users to the fake website “” via the company's own Twitter handle multiple times.

Your company can do better

Companies can look at the Marriott and Equifax responses and learn some valuable lessons, without becoming victims themselves. Despite the missteps, Marriott actually did a few things right. For example, other companies would be wise to take note of the short amount of time between when Marriott became aware of the breach and when it notified customers. It also smartly set up a dedicated call center for guests wondering if their information was compromised and provided free, year-long subscriptions to an identity-theft monitoring service called WebWatcher.

Companies shouldn’t wait until it’s too late to to improve their breach response processes. They should learn from other breach examples to help inform their own Incident Response Plans and make improvements, while hoping they never need to be used.

Finding the right tools

Improving response plans, automating processes, and keeping key personnel up-to-date are no small tasks. You’ll want a central location where you can document your breach response plans and processes. When a crisis hits is not the time for strategy and planning — you want your security team focused on executing your response plans. LogicGate’s Incident Management module provides a holistic view of your organization’s breach response plans. Incident response tasks, workflows, communication protocols, SLAs are centralized, giving you the ability to execute the breach response you’ve worked so hard to plan with the click of a button.


For more on Third-Party Risk Management, check out LogicGate's eBook below on Third-Party Risk: Driving Cross-Functional Alignment Across the Vendor Lifecycle.

Download eBook



All posts

Related Posts

View all posts