Marriott / Starwood guest data breach

On 30 November 2018, Marriott International disclosed that operators — assessed by the U.S. government and major industry analysts as Chinese state actors — had been resident on the Starwood Hotels & Resorts guest reservation database since July 2014. The intrusion had survived Marriott's $13.6 billion acquisition of Starwood in 2016, and continued unnoticed through the subsequent two years of Marriott ownership.

The total exfiltration: personal records on up to 500 million guests — at the time the second-largest data breach in history, behind only Yahoo.

What happened

The attackers entered Starwood's network in mid-2014 — over four years before public disclosure. They installed a combination of:

• Web shells for persistent command-and-control via HTTP
• MimiKatz for credential harvesting
• Multiple custom implants for data staging and exfiltration

Once inside, they obtained domain administrator credentials, mapped the environment, and gained access to the central guest reservation database that Starwood used across its Westin, Sheraton, W, St. Regis, Le Méridien, Aloft, and other branded properties worldwide.

For the next four-plus years, the operators had continuous access to:

• Names, addresses, phone numbers, email addresses of guests
• Dates of birth
• Passport numbers (~5.25 million stored unencrypted; ~20 million encrypted with keys also present in the environment)
• Loyalty program account information (Starwood Preferred Guest)
• Arrival and departure dates, reservation dates
• For ~8.6 million guests: encrypted payment card data, though the encryption keys were on the same compromised systems

The exfiltration was slow, careful, and continuous — consistent with a state intelligence-collection operation rather than a smash-and-grab criminal one.

Marriott's acquisition and the missed migration

In September 2016, Marriott completed its acquisition of Starwood. As part of the integration plan, Marriott intended to migrate Starwood reservations onto Marriott's own Marsha platform within two years. The migration was not completed before the breach was detected — and the attackers retained access to the Starwood-side infrastructure throughout the post-acquisition period.

The strategic implication: Marriott inherited an unknown active breach in the acquisition. Standard pre-acquisition due diligence (financial, legal, regulatory) had not surfaced the compromise. Cybersecurity-specific due diligence has since become a standard component of M&A in regulated industries — Marriott / Starwood is one of the most-cited motivating cases.

Detection finally came on 8 September 2018, when Marriott's Accenture-managed threat-detection tool alerted on a suspicious internal database query against the Starwood reservation system. The subsequent forensic investigation traced the access back to July 2014.

Impact

• 500 million guest records exposed, including:
  • ~327M records with significant identity-document data
  • ~5.25M unencrypted passport numbers
  • ~20M encrypted passport numbers (with keys recoverable)
  • ~8.6M encrypted payment card numbers
• UK ICO penalty: £18.4M (~$23.8M USD) in October 2020 — third-largest GDPR penalty at the time.
• U.S. multi-state AG settlement: $52M agreed in October 2024.
• Class action settlement: $26.5M in 2022.
• Total disclosed cost: ~$200M+ before insurance.

Attribution

The U.S. government's public attribution — through statements by senior NSA, DHS, and FBI officials to the press in December 2018 — pointed to Chinese intelligence services, with the operation assessed as part of the broader Chinese collection campaign against U.S. personal-records-rich data sources. The same actor cluster targeted Anthem (2015), OPM (2015), and Equifax (2017).

The strategic value of the Marriott / Starwood data is travel pattern intelligence: identifying when specific persons of interest — U.S. government officials, intelligence officers, foreign-service personnel, contractor employees with cleared access — were where, and with whom they overlapped. Cross-referenced with the OPM and Anthem datasets, the combined intelligence yields a comprehensive operational profile.

Why it matters

Marriott / Starwood is the canonical case for cyber due diligence in M&A. It established:

• That active intrusions can survive acquisitions and become the buyer's problem post-close. The acquired company's cybersecurity posture is an inherited liability.
• That passport numbers are a target-class of data distinct from credentials or PII. Passport numbers do not expire and cannot be reissued without significant administrative cost; their compromise is effectively permanent.
• That four-plus years of dwell time at a Fortune 500 company is operationally achievable for state actors. The detection mechanism that eventually surfaced the breach existed, but only at the post-acquisition phase — Starwood's pre-acquisition detection had not caught the operation in years of running.
• That GDPR enforcement can produce 8-figure penalties against U.S. companies for failure to protect EU personal data, even when the underlying breach predates the regulation. The ICO penalty was issued in 2020 for an intrusion that began in 2014.