Cyber security due diligence: Marriott’s GDPR breach fine
Last week was a big week for the Information Commissioner’s Office in the UK after the BA fine announcement (£183m) and a second data breach fine story around the Marriott Hotel chain.
You may recall the breach that spanned a few years; there was a good summary of the main events in a Business Insider article:
- The breach occurred in 2014 in hotel company Starwood’s database.
- Marriott inherited the undetected breach when it bought Starwood in 2016.
- Marriott discovered the breach in November 2018.
So, one company suffered a big breach exposing the sensitive data of 339 million people. Then another company two years later acquired the (as-yet-unknown) breached business. Then two years after that the breach was discovered.
What happened next?
- The UK’s Information Commissioner’s Office (ICO) investigated and announced its intent to fine the hotel giant £99 million.
- The Information Commissioner’s Office stated that Marriott did not conduct sufficient due diligence on acquiring Starwood.
Marriott now has to defend itself against the fine (or at least negotiate over the size of it).
What went wrong – The Starwood breach?
The original problem, on Starwood’s watch, was a compromised database:
“The breach exposed sensitive guest data, including combinations of names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of births, genders, arrival and departure information, reservation dates, and communication preferences.
Some encrypted payment card numbers and expiration dates were also exposed, but the company didn’t confirm whether that payment information was safe due to its encryption in its initial statement in November.”
What went wrong – The Marriot Fine?
Clearly for Marriot, the events that caused all this occurred long before it had any responsibility for the Starwood business. However, the length of time between the deal and the breach being discovered afterwards makes it rather hard for them to claim zero responsibility for not identifying it. Either at the point of making the purchase, or as part of the on-boarding and integration of property, systems , data, networks and – in a real sense – any tangible corporate risks.
Ultimately, it is probably best to cite the ICO finding directly rather than trying to interpret the events all over again:
Marriott had “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.
The need for cyber security due diligence
For any company buying another company, the findings of the ICO and the intended fine in this case, mean that some form of due diligence around cyber security posture and breaches (or likelihood) is going to become increasingly necessary.
In his blog post (here) Ian McCraw asserts that:
“No deal has ever been made worse by performing Cyber Due Diligence, a process that reveals a spectrum of Cyber-related strategic deal issues, hidden costs and operational risks before investing in a business”
The blog contains a good summary of M&A cyber risks. Some of these are obvious and should always get attention. They include general risks from cyber-crime based on the reported costs of this globally, the likelihood in terms of businesses affected, numbers of personal data records or value of IP assets and the sizes of fines that could be imposed based on turnover etc. But also risks to the deal itself, the transactions, the price paid being over what the true value is when IP/data security risks are factored in and the costs to integrate and manage cyber exposures as systems and networks are unified.
Some of these risks can be quantified or be derived from external factors or statistics, but it is important to understand the cyber posture of the business that is being acquired, and this needs to be achieved in a quick, un-intrusive but objective way.
It may not be possible to conduct a full in-depth cyber security review, penetration test and breach investigation for a business – that could be an expensive process and the bigger the organisation, the more complex the assessment and higher price tag.
One approach, which mirrors some oversight and cyber security reporting regimes being put in place at present, is to start with key performance indicators (KPIs) of the outcomes of the cyber security operational processes. Then use those KPIs to either gauge risk or to identify the level of cyber security culture or maturity as an indicator as to whether further examination is needed.
Good examples of data points to measure initially are the things that are often linked to data breaches – the state of operating system and application patching, the way in which privileged accounts are managed, the adequacy of backups and the controls put around user activity (prevention of malware at the end point etc).
If these areas of performance score highly or appear to be covered, then there is a decent level of basic cyber hygiene – and some trust in the ability of the environment can be gained. Subsequent due diligence efforts can focus on specifics of the customer database, the web front-end, the protection of IP – i.e. the “big ticket” items that could affect deal value or lead to future fines if they turn out to have been compromised. These risks can be examined in detail or insured against (with hopefully lower premiums given the foundations are solid) or priced into the transaction price.
If, on the other hand, these basic cyber security indicators show cause for concern then the buying entity has options. In the current cyber climate of “when not if” it might be safe (or at least defensible) to assume that an organisation with sloppy cyber security has already been breached or is highly likely to; hence that knowledge can drive negotiations on price or lead to much more in-depth studies of the extent of cyber risk or directly consider threat scenarios and searches for pre-existing “indicators of compromise” and enable discussions around where those costs sit – with the buyer directly, or as part of the seller’s undertaking to the buyer.
Discretion is the better part of valour
To reiterate the point made above, no deal has ever been made worse by considering cyber risks. Much better to find those out pre-deal during due diligence and price them in to the transaction than to get caught like Marriot did with the compromised Starwood database.
The sums involved (hundreds of millions of dollars) give credence to the assertion that considering cyber risk is vital. Marriot’s eventual fine might yet be reduced, but if one looks at the previous Verizon/Yahoo deal – Yahoo had been breached and Verizon ended up paying $350m dollars less for the business because of it. Either way, a big fine or taking a hit on the price paid/valuation, there is real money at stake.
It is important (as the aforementioned article agrees) to:
- Think about cyber risk early in the transaction;
- Assess and quantify the exposure and sizes/likelihood of any future costs or risks;
- Make sure these get considered in the discussions and negotiations;
- Where problems are apparent or possible, make sure there are dealt with quickly once the deal is closed (or preferably before);
- Work out what other liabilities can be transferred through warranties, indemnities or insurance.