Donate
Customer Data Isn’t Always an Asset: Lessons from the Marriott Data Breach Thumbnail
‹ Back
Trust 30 November 2018

Customer Data Isn’t Always an Asset: Lessons from the Marriott Data Breach

Ryan Polk
By Ryan PolkPolicy Advisor

As data analytics have improved, the massive amounts of data that companies acquire from their customers has only gained in economic value. In the corporate world of today, this data can be a real asset for companies. However, as today’s news, that the records of over 500 million guests of Marriott International’s Starwood division hotels were involved in a data breach, makes clear, corporate thinking about the value of customer data needs to be reevaluated.

Especially when it comes to corporate acquisitions, companies need to start treating customer data as a potential liability, as well as an asset.

In September 2016, Marriott International acquired Starwood for $13.6 billion. When Marriott International sought to buy the Starwood hotel chain, Starwood’s customer data, played a central role in their reasoning for the acquisition. Citing higher income and better brand loyalty among program members,  Arne Sorenson, the Marriott CEO, specifically referred to Starwood’s loyalty program as a “central, strategic rationale for the transaction.” Loyalty programs, in addition to attracting repeat customers, also “provide hotels with a wealth of information on their guests” which hotels can use to “create laser focused marketing campaigns for various different kinds of guests.”

While Marriott International successfully acquired Starwood, its valuable loyalty program and customer data, they also unwittingly acquired a data breach in progress, which would lead to future damage to their global brand.

As an internal investigation has suggested, the criminals behind this recent data breach had been inside the Starwood’s networks since 2014 – two years before the acquisition. These criminals gained “unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before 10 September 2018.” For some customers, this information includes personal information like contact information, mailing addresses, names, and even passport numbers. Marriott International has also been unable to rule out the possibility of payment information, like credit card numbers, having been stolen as well.

In news reports, this is not Starwood’s data breach, but Marriott International’s. And this incident is already costing the company. Overnight, their stock price dropped by over 5%. Like any data breach, this incident will harm trust between the company and its customers. To try to rebuild their customers’ trust, Marriott International has: set up a website about the incident and a dedicated call center; said it will send out email notifications to those impacted and will pay for a year’s worth of a monitoring service to alert them if their personal information being shared online (in some countries). All of this takes money and resources.

The Marriott – Starwood acquisition and data breach provides an important lesson: when a company is negotiating an acquisition, data security and data handling practices must be a central part of the negotiations, and a company’s due diligence.

When Marriott International acquired Starwood and its data, they also acquired the risk associated with storing and handling that data. Digital security is a crucial part of a corporation’s bottom line, and security incidents can quickly become disastrous for a business. Before making acquisitions, companies need to carefully look at the digital security and data handling practices of the businesses they seek to acquire, analyze the risks, and reassess.

How much risk am I really willing to pay for? Is $13.6 billion and a data breach a fair deal?

Read the Cyber Incident & Breach Trends Report, which includes core readiness principles and a top-level readiness checklist.

‹ Back
Join the conversation with Internet Society members around the world