Summary
In November 2018 Marriott disclosed that the Starwood guest-reservation database had been breached. The headline number moved as the investigation went on, from an initial 500 million down to a refined estimate of around 339 million guest records, including 5.25 million unencrypted passport numbers. The most striking detail was the dwell time: attackers had been inside the Starwood system since July 2014 and went undetected for more than four years, straight through Marriott's 2016 acquisition of Starwood. Marriott inherited the compromised infrastructure without knowing intruders were already in it, and only an internal security tool flagging an unusual database query in September 2018 finally surfaced the breach, which US government sources attributed to Chinese state-linked actors. It led to a $52 million multi-state settlement and a 20-year FTC security order. It is the lesson in mergers-and-acquisitions cyber due diligence, dwell-time detection, and protecting and encrypting sensitive records.
How it happened
The breach did not belong to Marriott at first; it belonged to Starwood, the hotel group (Sheraton, Westin, W) that Marriott would later buy. Attackers got into Starwood's guest-reservation system in July 2014, reportedly through a phishing-delivered remote-access trojan, and quietly settled in. When Marriott acquired Starwood in September 2016, it took on that reservation system, and the intruders sitting inside it, without detecting them. Cyber due diligence, if any was done, did not find a years-old active compromise.
So the attackers simply kept going, for more than four years total. They were finally caught on 8 September 2018, when a security tool Marriott had deployed flagged an unusual query against the Starwood database; forensics then turned up the remote-access trojan and the credential-stealing tool Mimikatz, which the attackers had used to harvest credentials and reach an administrator account that could query the guest database. The long, patient, espionage-flavoured profile pointed to a Chinese state group, an APT for whom a global hotel chain (a near-perfect source of who travelled where, and when, including government and military guests) is a high-value target, though Marriott never officially confirmed the attribution and no one was ever charged.
The damage
Around 339 million guest records were exposed. The data breaks down: roughly 8.6 million encrypted payment-card numbers (nearly all of them already expired), 20.3 million encrypted passport numbers, and 5.25 million passport numbers stored in plain text. On the encryption, Marriott was careful: it said it had found no evidence the attackers accessed the two components needed to decrypt the card data, though it could not entirely rule it out. Beyond the privacy harm, the travel histories of millions, including officials, carried clear intelligence value. The regulatory fallout was lasting, and it covered not one breach but three (an earlier Starwood intrusion, the famous four-year one, and a later breach on Marriott's own network running into 2020, together affecting more than 344 million customers): a $52 million settlement with 49 states and Washington DC in 2024, an FTC order finalised that December mandating a comprehensive security program for 20 years, and earlier, a UK fine the regulator first set at nearly £100 million before reducing to £18.4 million.
Why Marriott still matters
Marriott teaches two lessons that rarely get equal billing. The first is mergers-and-acquisitions security: when you buy a company you buy its breaches, so cyber due diligence belongs in the deal, and the acquired environment needs to be investigated and re-platformed, not run as an inherited black box. The point is sharpened by the fact that even while it was cleaning up Starwood, Marriott was breached again on its own network, the third incident in the regulators' case. The second lesson is dwell time: an intrusion that lasts four years is not bad luck, it is a detection failure, and it argues for behavioural monitoring and threat hunting rather than waiting for an alarm. Underneath both sits the basics, encrypt sensitive data, protect the keys separately so a database dump is not a plaintext dump, and minimise how much irreplaceable identity data (like passport numbers) you keep at all.
How to fix it
- Isolate and rebuild the compromised database environment, and rotate all credentials and encryption keys it held.
- Reconstruct the full multi-year intrusion timeline from whatever logs exist, and assume long-dwell persistence.
- Validate that "encrypted" fields are actually protected and that their keys were not also stolen.
- Notify affected guests and regulators, and stand up monitoring for the exposed identity and passport data.
How to avoid it
- Make cybersecurity due diligence a gate in any acquisition; you inherit the target's intrusions along with its systems.
- Invest in long-dwell detection and threat hunting; a breach undetected for years is a detection failure, not bad luck.
- Encrypt sensitive data and store keys separately, so a database dump is not a plaintext dump.
- Minimize and segment guest, payment, and passport data, and alert on unusual bulk access.
- Retire and re-platform legacy acquired systems quickly rather than running them as inherited black boxes.
References
- https://news.marriott.com/news/2018/11/30/marriott-announces-starwood-guest-reservation-database-security-incident
- https://www.ftc.gov/news-events/news/press-releases/2024/12/ftc-finalizes-order-marriott-starwood-requiring-them-implement-robust-data-security-program-address
- https://www.edpb.europa.eu/news/national-news/2019/ico-statement-intention-fine-marriott-international-inc-more-ps99-million_en
- https://www.csoonline.com/article/567795/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html
- https://www.theregister.com/2019/01/04/marriott_stolen_passport_numbers/
Related vulnerabilities
All OpSec →- CRITICALOPSEC-MIDNIGHT-BLIZZARD-2024
In January 2024, Microsoft revealed that Russia's foreign-intelligence service, the same APT29 behind SolarWinds, had been reading the email of its senior leadership. The way in was almost insulting in its simplicity: a forgotten, non-production test account with a weak password and no MFA. The attackers guessed the password by spraying common ones across many accounts, then pivoted through a forgotten over-privileged application to grant themselves access to corporate mailboxes, including those of executives and the security and legal teams. It is the lesson that your security is only as strong as the account you forgot about, and that even Microsoft's perimeter fell to a missing MFA checkbox.
- CRITICALOPSEC-MGM-CAESARS-2023
In September 2023, two of the biggest names in Las Vegas, MGM Resorts and Caesars Entertainment, were brought to their knees, not by a sophisticated exploit, but by a phone call. The Scattered Spider group simply called the companies' IT help desks, impersonated employees, and talked the support staff into resetting their multi-factor authentication, handing the attackers a way in. From there they deployed ALPHV/BlackCat ransomware. Caesars paid about $15 million; MGM refused and took a roughly $100 million hit as slot machines, hotel keys, and check-in systems went dark for days. It is the lesson that the help desk is part of your attack surface, and that the most advanced MFA is undone by a human who can be convinced to reset it.
- CRITICALOPSEC-LASTPASS-2022
LastPass is a password manager, the digital vault tens of millions of people trusted with every password they have. In 2022 attackers got into it, and the breach unfolded in a way that turned a developer's home computer into a path to those vaults. A first intrusion stole source code. The attackers used it to identify and target one of only four engineers who held the keys to production backups, planting a keylogger on his home PC through an unpatched flaw in, of all things, his Plex media server. With his master password captured, they exfiltrated backups of customers' encrypted password vaults. The encryption held, but anyone with a weak master password was now exposed to offline cracking at the attacker's leisure. It is the lesson that a vault is only as strong as the master password protecting it, and that your blast radius includes your engineers' home machines.
- HIGHOPSEC-TWILIO-2022
On 7 August 2022, Twilio, a company whose entire business is sending text messages and verification codes for other companies, was breached through text messages. Attackers ran an SMS phishing campaign against Twilio's own employees, texting them fake "your password expired" alerts from numbers that looked like Twilio IT and linking to convincing fake login pages. Several staff entered their credentials, handing over access to internal tools and the data of more than 200 customers, and rippling downstream to users of the secure-messaging app Signal. It was one strike in a sprawling campaign, dubbed 0ktapus, that phished around 130 companies the same way. It is the lesson that phishing-resistant MFA exists for a reason: ordinary credentials and codes can always be talked out of a human.
- HIGHOPSEC-TWITTER-2020
On 15 July 2020, the Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, and Apple all tweeted the same thing: send Bitcoin and I will send back double. It was a scam, and it ran from inside Twitter. Attackers had phoned a handful of Twitter employees, posed as IT, and talked them out of their credentials, which gave access to an internal admin tool that could take over any account on the platform. The mastermind turned out to be a 17-year-old. It is the lesson that a powerful internal "god-mode" tool is only as secure as the most socially-engineerable employee who can reach it.
- CRITICALOPSEC-OPM-2015
In 2015 the US Office of Personnel Management disclosed one of the most damaging government breaches in history. Attackers widely attributed to China stole background-investigation records on about 21.5 million people: the SF-86 security-clearance forms that catalogue relatives, finances, foreign contacts, mental-health history, and other intimate detail, along with 5.6 million sets of fingerprints. A separate intrusion took personnel records on 4.2 million federal employees. Initial access came through a contractor's credentials, there was no multi-factor authentication on key systems, the data sat unencrypted, and the intruders dwelt undetected for about a year. OPM had been warned for years about exactly these gaps. It is not a story about money; it is a counterintelligence catastrophe, and a lesson in MFA, contractor access, encryption, and minimising the most sensitive data you hold.