Marriott / Starwood: A Network You Cannot Read

Marriott closed the Starwood acquisition in September 2016. The attackers had been inside Starwood's reservation network since July 2014.

The financial due diligence had been thorough, but the cybersecurity audit had not been commissioned.

Starwood was running a guest reservation database called Valhalla, separate from Marriott's own infrastructure. The Starwood reservation environment remained operational after the acquisition and was still material to the breach investigation when the incident was detected in 2018. The integration problem was not only technical; Marriott inherited a live environment with an intrusion history that predated the deal.

In the same period, integration and restructuring changed the human map around Starwood's systems. The people who knew which queries against that database looked normal, which traffic patterns belonged to which integration, which alerts were noise and which weren't, were no longer necessarily the people with day-to-day authority over the inherited environment.

The breach was eventually detected in September 2018 by an internal monitoring service. The trigger was a count query against the guest reservation table with no associated business process, the kind of anomaly that anyone who had spent six months reading that database day to day would have flagged far earlier. Four years and two months after the initial intrusion. The exfiltrated data included passport numbers and travel histories for around 339 million guests. Payment cards are a fraud asset with a short useful life. Travel histories age into something else.

Acquisitions are usually treated as a transfer of contracts, brands, and infrastructure, and the institutional knowledge that makes that infrastructure legible is treated as overhead, the first thing optimised away after closing, because it does not appear as a line item in the valuation.

A network you cannot read is a liability you have agreed to inherit in writing.