Marriott Acquired Starwood. It Also Acquired a Four-Year Intrusion.
A hotel chain bought a competitor — its brands, its properties, its loyalty program. What nobody put a price on was the intruder who came with them, already four years into a breach of the guest datab
On September 8, 2018, a monitoring tool inside Marriott International’s network flagged a single query it could not explain. Something was reading the Starwood guest reservation database in a pattern that matched no legitimate operation. Pulling on that one thread unwound four years of history. It led back to July 2014 — to a time when the compromised systems did not belong to Marriott at all. They belonged to a company Marriott had not yet announced any intention to buy.
The intruder had been inside Starwood’s network before the acquisition was public. Still inside when the deal closed. And inside for two more years after that, while the two companies spliced their systems together one migration at a time. The question this breach leaves on the table is an unusual one: how does an attacker survive a corporate merger?
Starwood Hotels & Resorts ran thousands of properties across dozens of countries, tied together by a loyalty program called Starwood Preferred Guest. Book a room and you handed over your name, address, phone number, email, date of birth, and payment card — and, travelling internationally, your passport number. For loyalty members the database also kept arrival and departure dates and reservation histories. It filled the way a filing cabinet fills when no one is assigned to empty it: one guest at a time, year after year. Some folders dated back to 2002.
In November 2015, Marriott announced it would acquire Starwood; the deal closed in September 2016. What Marriott also acquired — though this would not surface for two more years — was an active intrusion that had been running inside Starwood’s network since July 2014.
When Marriott finally disclosed the breach on November 30, 2018, the first estimate reached as high as 500 million guests. Forensic work later settled the figure at roughly 339 million records exposed worldwide. For a limited set of guests, the exposure included unencrypted payment card numbers. And for 5.25 million guests, it included unencrypted passport numbers.
That last category is the one most breaches never reach. A compromised payment card is cancelled and reissued in days. Replacing a passport takes a government office visit, a fee, and weeks of processing — and in the interim the number stays valid, still tied to its holder in every system that ever recorded it. Those costs — new passports, replacement cards, identity monitoring — fall on the people whose data was held, not on the company that held it.
The way in was a Starwood web server — one of the systems that faced the public internet, taking requests from outside. In July 2014, an attacker reached that server and planted a web shell.
A web shell is a small piece of code left on a web server that hands whoever planted it a remote command line — the ability to run instructions on that server from anywhere, at any time, as if seated at its keyboard. Picture a hotel lobby that never closes, and someone who walks in during business hours, finds a service corridor, and mounts a hidden phone behind a utility panel. From then on they call in whenever they like and have their instructions carried out inside the building. The lobby stays open. The guests keep arriving. The phone is invisible to anyone who does not already know it is there.
From that foothold the attacker installed three separate remote-access trojans — tools that hold open a persistent channel back to the attacker’s own machines. One web shell can be found and removed; three redundant channels mean losing one is not losing the network. Then came the step that turned a foothold into free movement: credential harvesting with a well-known tool called Mimikatz. When someone authenticates to a server — an administrator logging in, an application connecting to a database — the system briefly holds those credentials in active memory, because it needs them for the session. That necessity is also a weakness. The credentials sit there the way a sign-in sheet at a security desk holds every badge number currently checked in: the desk needs the sheet, but anyone who can read the desk can read every badge on it. Mimikatz reads the desk — scanning memory for what the operating system has already placed there, no cracking or guessing required. On Starwood’s server it harvested highly privileged administrative credentials. Not the key to one room. The keys that managed the building.
Those credentials unlocked the network. Regulators later mapped the movement: more than 480 systems compromised across 58 locations — corporate offices, data centres, and individual hotels, linked by the corporate network that ties every property back to the central reservation system. The attacker moved laterally, planting key loggers and memory-scraping malware to gather still more credentials along the way. Nothing forced them to stop. Network segmentation — the internal walls that keep a compromise in one area from becoming access to every other — is the control that should have broken that movement. Starwood’s walls were not there, and the path from the web server to the reservation database was open.
The interval between that first compromise and its discovery ran more than four years, against an industry median measured in weeks or months — a category of persistence that outlasted operating-system upgrades, staff turnover, and a change of corporate ownership.
By the time the acquisition closed in September 2016, the attacker had been inside for over two years, and the work of merging two companies was only starting: systems inventoried, networks consolidated, accounts migrated, data moved off legacy platforms. A corporate acquisition audits assets with real rigour — properties, brands, revenue, contracts. What it does not audit with the same rigour is the security posture of every system it absorbs. Regulators later named the gaps that let the intruder ride through: multi-factor authentication not fully deployed, especially for administrative accounts; monitoring too thin to catch the attacker’s tools; software outdated and unpatched. None of those gaps appeared during the merger — they predated it. The merger was simply the moment they became Marriott’s, inherited alongside the brands and the guest database. With read-and-write access the whole time, the attacker could watch the integration happen: which systems were being consolidated, which were getting attention, which were not. They did not have to evade a team hunting for them — only to stay in the spaces no one was watching, and the monitoring that would have watched those spaces had never been built.
In July 2018, four years in, the attacker added one more tool: an open-source VPN — an encrypted tunnel into a network they had occupied since 2014. Organizations use VPNs routinely to let employees reach internal systems from outside; the attacker built one for the same purpose. Two months later, it was the thing that finally got noticed.
The alert came from IBM Guardium, a database activity monitor — a tool that watches the queries hitting a database and compares them against the patterns legitimate systems produce. On September 8, 2018, it flagged a query against the guest reservation database that did not fit. Guardium caught what years of network monitoring had missed, and the reason is the whole lesson: it was watching the database itself, not the network around it. The attacker’s tools had lived on hundreds of systems without tripping an alert, because coverage across the broader network was too sparse to produce one. It took a monitor trained on the exact system the attacker was ultimately after to see anything at all — a demonstration of what happens when monitoring exists in one place and not the others.
Eighty-three days then passed between that alert and public disclosure while investigators established the scope — days in which the company knew 339 million people’s information had been taken and those people did not. That asymmetry sits inside every breach timeline; the only variable is how long it lasts.
Who the intruder was, the public record does not say. The regulatory complaint calls them only “malicious actors” — no threat group named, in it or in the securities filings or the settlements, and no arrests publicly tied to this intrusion. Several news organizations reported that investigators suspected Chinese state-sponsored actors, but that attribution never entered the primary legal record. Who was inside that network, and why, remains formally unanswered.
Marriott reported $198 million in breach-related expenses through the first three quarters of 2019 alone, offset by roughly $77 million in insurance recoveries. Forty-nine U.S. states and the District of Columbia reached a combined $52 million settlement. The UK’s data-protection regulator, after proposing a penalty of nearly £100 million, ultimately issued £18.4 million — European data-protection law applying only to the portion of the breach after May 2018. And the Federal Trade Commission ordered Marriott to run a comprehensive security program under independent assessment every two years for the next twenty.
The most telling part of that order was not the security program but a requirement to delete guest data that no longer serves an active business purpose — a direct answer to a database still holding records from 2002. A guest who checked in that year and never returned still had their name, address, and date of birth in a live system sixteen years later, reachable by anyone who got that far. Deleting data past its useful life has a name — data minimization — and its absence is a policy gap, not a technical one. Every year a database runs without review, the pile an intruder can reach only grows.
What separates this breach from a story about sophistication is that none of the attacker’s tools were exotic. A web shell. Mimikatz. Off-the-shelf remote-access trojans. An open-source VPN. All of it documented, widely known, some of it free. The attacker did not need to invent anything — only a network whose foundational controls, from authentication to encryption to data retention, had gaps wide enough to move through quietly for four years, straight through a corporate acquisition, without being seen.
The distance underneath this breach is the distance between acquiring a company and auditing its defences. An acquisition transfers the assets. It transfers the exposure just as completely — every unpatched system, every unwatched segment, every administrative credential without a second factor. What the purchase agreement does not transfer, unless someone insists on it, is visibility into what is already living inside the infrastructure being bought. Four years of an attacker moving through a database as it changed hands between two companies is what that distance looks like when someone is standing inside it.
Sources & further reading
- **U.S. Federal Trade Commission** — the complaint and final order, *In the Matter of Marriott International, Inc. and Starwood Hotels & Resorts Worldwide* (2024): the attack path, the 480-systems / 58-locations scope, and the itemized missing controls.
- **Marriott International SEC filings** — the 8-K disclosing the breach (November 30, 2018) and subsequent 10-K / 10-Q filings reporting breach-related expenses and insurance recoveries.
- **UK Information Commissioner’s Office** — the penalty notice against Marriott International (October 30, 2020): the £18.4 million fine, reduced from a proposed £99.2 million.
- **Office of the Privacy Commissioner of Canada** — the joint investigation report under PIPEDA into the Starwood breach.
- **State Attorneys General** — the 2022 multistate settlement ($52 million across 49 states and the District of Columbia).
- **U.S. Senate** — the 2018–2019 committee hearing record examining the Marriott/Starwood breach and its disclosure timeline.
