Summary

  • Inherited operational truth: The intruder entered the Starwood environment in late July 2014, more than two years before Marriott completed its acquisition of Starwood on September 23, 2016. Marriott did not create the initial compromise. After closing, however, it controlled a company whose still-operating reservation system and global guest records had to be governed as Marriott assets, even while the legacy and Marriott networks remained separated.
  • Timeline and scope: A database-monitoring alert was generated on September 7, 2018 and elevated to Marriott on September 8. Investigators found a remote-access trojan on September 17, identified deleted encrypted export files on November 13, decrypted two files on November 19, notified the UK regulator on November 22 and disclosed publicly on November 30. Marriott's early ceiling of 500 million guests became an upper limit of 383 million records and later regulatory records used 339 million globally; none of those figures is a clean count of unique people.
  • Data and control findings: The exposed combinations included contact details, dates of birth, passport identifiers, loyalty data, reservation and stay information, and payment-card data. The UK Information Commissioner's Office made four principal findings for the GDPR period only: insufficient monitoring of privileged accounts, insufficient database monitoring, inadequate control of critical systems, and failure to encrypt all passport numbers. It did not make final findings under GDPR Articles 33 or 34, and it excluded incomplete multifactor-authentication coverage from the penalty after considering Marriott's representations.
  • Accountability after enforcement: The ICO imposed a £18.4 million penalty in 2020. In 2024, state attorneys general reached a $52 million settlement and the Federal Trade Commission imposed a 20-year order covering security governance, acquired-entity assessment, monitoring, access, hardening, cryptography, data retention and independent assessment. Marriott did not admit liability in the ICO process or multistate settlement. Those procedural limits matter, but they do not dilute the operational lesson: acquisition closes a legal transaction; it does not certify the acquired environment's truth.

The asset was a company, a database and an unfinished security history

Marriott announced its agreement to acquire Starwood on November 16, 2015. Four days later, Starwood disclosed a distinct payment-card incident affecting point-of-sale systems at a limited number of North American hotels. Starwood's 2015 annual report said malware had reached restaurant, gift-shop and other point-of-sale systems; it said there was no indication at that time that the reservation or Starwood Preferred Guest systems were affected. (Starwood 2015 Form 10-K)

That disclosure was not notice of the reservation-database intrusion later announced by Marriott. The two events involved different systems and public accounts. It was, however, notice that Starwood's environment had a security history. The Federal Trade Commission's 2024 complaint says the point-of-sale compromise lasted about 14 months, involved more than 40,000 consumers, and was associated with inadequate segmentation, access controls, unsupported software and missing multifactor authentication. The same complaint says Marriott reviewed Starwood's information-security program during the ten months between announcement and closing, including the failures linked to that first breach. Those statements are FTC allegations in a consent matter, not findings from a contested trial. (FTC complaint)

Marriott's account adds an important constraint. In 2019 testimony to a US Senate subcommittee, then-chief executive Arne Sorenson said Marriott obtained information about Starwood's technology and assessed integration during the pre-close period, but that the inquiry was legally and practically limited because the companies remained competitors. Marriott decided to retain its own reservation platform and retire Starwood's. Moving 1,270 hotels without disrupting reservations took two years, so the Starwood system continued operating after close while Marriott said it invested in additional security. (Sorenson Senate testimony)

Both facts can be true. Pre-close access can be constrained, and a buyer can still inherit a live control problem. The mistake is to treat diligence as a one-time certificate rather than a change in the burden of proof. Before close, the buyer asks what it can lawfully inspect, what the seller represents and what contractual protection it needs. After close, the owner can revalidate privileged identities, inspect logging, search for persistence, map database exports, test segmentation, inventory cryptographic methods and decide whether a legacy system may keep processing personal data. The authority changes. So must the evidence.

Marriott completed the acquisition on September 23, 2016. Starwood became an indirect wholly owned subsidiary, and the combined group described nearly 6,000 properties, more than 1.1 million rooms and 30 brands across 120 countries and territories. (Marriott acquisition Form 8-K) The scale is relevant not as spectacle but as a map of dependency. A reservation database was not a peripheral office application. It linked hotels, contact centres, loyalty processes, guest service and travel records across a global franchise and management system.

The public record also establishes a narrow but important architecture fact. The ICO found that the systems accessed by the attacker remained segregated from the wider Marriott network. It said the attack did not provide access to personal data processed only on non-Starwood systems. Separation therefore limited blast radius. It did not make the acquired environment safe. The Starwood side remained in production, and separation without effective monitoring can preserve an intruder as readily as it contains one.

Timeline: entry, ownership, detection and disclosure are different dates

The breach is often compressed into the phrase "unauthorized access since 2014." That phrase loses the sequence needed for accountability. At least six clocks matter: initial intrusion, Marriott's acquisition, the start of GDPR coverage, the alert, confirmation that guest data was involved, and public disclosure.

June 2014 to 2015: a separate Starwood payment-card event. The FTC's later complaint describes a 14-month intrusion in which an actor reached Starwood's network and installed payment-card-stealing malware at more than 100 owned or managed properties. Starwood publicly disclosed a narrower property-level point-of-sale event in November 2015 and said its guest reservation and loyalty systems were not indicated as affected. This earlier event is relevant because it put network weaknesses into the acquisition context. It should not be retroactively merged with the reservation-database breach as if every fact or affected consumer were the same.

July 28-29, 2014: entry into the environment later tied to the reservation breach. The FTC complaint places compromise of an external-facing web server on or about July 28. The ICO penalty notice says a web shell was installed on July 29 on a device supporting an application used by Starwood employees to request website-content changes. The shell enabled remote access and the installation of remote-access trojans. The one-day difference reflects the precision of two public reconstructions, not necessarily a factual contradiction. The safe conclusion is late July 2014.

The intruder harvested privileged and user credentials and moved through the Starwood environment. The FTC alleged that keyloggers, memory-scraping malware and remote-access trojans eventually appeared on more than 480 systems across 58 corporate, data-centre, contact-centre and hotel locations. The ICO described use of legitimate accounts, Mimikatz credential extraction and export of entire database tables into dump files. Neither record publishes the underlying forensic report, a complete list of affected hosts or the precise vulnerability that first made the public-facing server exploitable.

November 2015: Marriott announces the deal; Starwood discloses the other breach. This is the moment when inherited cyber risk became visible as a transaction issue. It did not reveal the hidden reservation attacker. It did give the buyer reason to treat technical assurances, remediation claims, payment-card compliance and network segmentation as propositions requiring independent verification after control transferred.

September 23, 2016: Marriott closes the acquisition. The reservation intruder was already present. Marriott says it made security enhancements while it continued operating Starwood's system pending migration. The ICO records that the two networks stayed separate during the relevant period. The FTC later alleged that Marriott had responsibility for establishing, reviewing and implementing security practices for both companies after close.

May 25, 2018: the GDPR becomes applicable. This date defines the ICO decision's legal reach. The attack began years earlier, but the penalty notice addressed Marriott's processing from May 25 through September 17, 2018. The ICO expressly said it was not making an infringement finding for the period between acquisition and GDPR applicability and did not decide whether deeper diligence had been possible during the takeover. That boundary is essential. The ICO used the inherited system to assess Marriott's continuing controller duties after the GDPR took effect, not to invent retroactive GDPR liability for 2014 or 2016 conduct. (ICO penalty notice)

September 7-8, 2018: a count query generates an alert. On September 7, an administrator account queried the row count of a protected guest-profile table. IBM Guardium generated an alert. Accenture, which managed the Starwood guest reservation database, contacted Marriott's IT team on September 8. Marriott learned that the person whose credentials were used had not performed the query. The alert concerned a table monitored because it included card details; the ICO said other tables without payment-card data lacked equivalent alerts.

This was detection of an anomalous action, not immediate knowledge of the whole breach. The query returned a count, not row contents. The same day later became contested in the ICO's analysis of when Marriott was aware of a personal-data breach for Article 33 notification purposes. After considering Marriott's representations, the ICO made no final Article 33 infringement finding.

September 9-12: incident response and continued attacker activity. Marriott invoked its information-security and privacy incident-response plan around September 9 or 10 and brought in external investigators on September 10. The ICO says another passport-related table was exported to a dump file that day. On September 12, Marriott began deploying real-time monitoring and forensic tools across approximately 70,000 legacy Starwood devices. The fact that a data export occurred after the first alert is material; it shows why alert generation, analyst escalation, containment and eradication must be measured separately.

September 15-18: credentials, malware and governance escalation. Investigators identified unauthorized activity involving Accenture employee credentials from July. They found a remote-access trojan on September 17 and blocked command-and-control addresses. Sorenson testified that he was informed that day and the board was notified on September 18. The ICO selected September 17 as the end of the infringement period for its penalty analysis because that was when the RAT was identified and contained, not because every forensic question was resolved.

October 2018: the historical intrusion becomes visible. Investigators identified evidence of Mimikatz and memory-scraping malware and traced unauthorized presence back to July 2014. Marriott contacted the FBI on October 29. At this stage, according to the company's Senate testimony, investigators had evidence of a long intrusion but had not yet found evidence that guest data in the reservation database had been accessed.

November 13-19: deleted files become evidence of guest-data export. On November 13, investigators found traces of two compressed, encrypted and deleted files. They decrypted them on November 19 and found exports of guest-profile and passport-related tables. That was the date on which Marriott says it determined that the files contained personal information from the Starwood guest reservation database. The distinction between the September anomaly and November confirmation explains the investigative delay without itself proving that every notification decision was timely.

November 22-30: regulatory notice and public disclosure. Marriott notified the ICO on November 22. It found evidence of additional historical table copies on November 25 and 26, notified payment-card networks and a range of authorities, and announced the incident publicly on November 30. Its initial notice said the database was in the United States and contained records relating to reservations at Starwood properties on or before September 10, 2018. (Marriott November 2018 incident notice)

December 18-31, 2018: retirement. Sorenson said Marriott stopped using the Starwood guest reservation database for business operations on December 18. Marriott's January update described the phase-out as effective by year-end. Retirement ended its role in live reservations, but a secure retirement also requires disposition of copies, credentials, keys, forensic images, backups and legal holds. The public record does not provide a complete destruction ledger.

2019-2020: scope changes and a final UK penalty. Marriott revised its counts in January and in its annual report. The ICO issued a July 2019 notice of intent proposing £99,200,396. After Marriott's written representations, consultation with other European authorities, mitigation analysis and a COVID-19 adjustment, the final penalty was £18.4 million on October 30, 2020. Marriott said it would not appeal but made no admission of liability. (Marriott response to final ICO decision)

April 2024: a five-year-old cryptographic description changes. Marriott added an update to its 2018 and 2019 notices: payment-card numbers and some passport numbers it had described as protected with AES-128 encryption were instead protected with SHA-1. That correction does not change the fact of unauthorized access. It changes how readers should interpret the old statements about encryption and keys.

October-December 2024: parallel US resolutions become enforceable. A coalition of 50 attorneys general announced a $52 million settlement covering 131.5 million US-associated guest records and long-term safeguards. The FTC announced a parallel consent settlement in October and finalized its decision and order on December 20. The FTC matter addressed three breaches from 2014 to 2020, so not every allegation or remedy in that proceeding belongs exclusively to the Starwood reservation incident.

2025-2026: private litigation remains a separate track. In June 2025, the Fourth Circuit enforced a class-action waiver and reversed certification of classes against Marriott; it did not decide the underlying breach claims after a trial. (Fourth Circuit opinion) Marriott's Form 10-K filed February 10, 2026 says some plaintiffs brought individual New York actions, mediation discussions continued in the federal multidistrict litigation, the Canadian matters were effectively consolidated in Ontario, and Marriott disputed the allegations. (Marriott 2025 Form 10-K)

The numbers are records, people, regions and procedural populations

No single breach number can safely stand for every purpose. Marriott's estimates changed as investigators deduplicated and classified tables. Regulators and courts later used different populations tied to their jurisdiction or proceeding.

Date and source Population What the number means What it does not mean
November 30, 2018 Marriott notice Up to approximately 500 million guests; about 327 million with a broader combination of fields Preliminary public ceiling before completed duplicate analysis A verified count of unique individuals or people who all lost the same fields
January 4, 2019 Marriott update Approximately 383 million records as an upper limit; fewer unique guests Revised company estimate after some deduplication 383 million distinct people
2020 ICO penalty notice 339 million guest records globally; 30.1 million associated with EEA states; 7 million associated with the UK Population used in the final GDPR enforcement record A count that can be added to the 383 million ceiling; the regional records are subsets
2024 multistate settlement 131.5 million records pertaining to US customers US-associated population used by the states The global total or a count of individual claimants paid compensation
2025 Fourth Circuit opinion Roughly 133.7 million guest records in the litigation account Population used to describe the consumer case A merits judgment that every record produced compensable harm

The difference between a record and a person is not editorial housekeeping. A guest may have multiple stays, addresses, companions, loyalty entries or duplicated profiles. Different tables may identify the same person in inconsistent ways. Marriott told the Senate it could not confidently decide whether matching or similar names and addresses belonged to one person or several. A defensible data inventory should solve enough of that identity problem before an incident, not discover during notification that it cannot state how many people it holds.

The categories also varied. Marriott's first notice said approximately 327 million records contained some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest information, date of birth, gender, arrival and departure information, reservation date and communication preferences. Some included payment-card number and expiration. The remainder were described as name plus, in some cases, another field such as address or email. "Some combination" is a warning against treating every listed field as present for every guest.

The ICO's table-level account adds operational detail. One reservation-sharing table included guest and loyalty identifiers, VIP flags, passport country and number, arrival and departure information, contact details, flight number, airline code, check-in status and the number of guests in a room. Another table included room type, adult and child guest counts, and requested cribs or rollaway beds. These fields can reveal household and travel context even without a financial credential.

Passport and payment-card counts moved as well. Marriott's January 4, 2019 update listed about 5.25 million unencrypted passport numbers and 20.3 million passport numbers then described as encrypted. It listed about 8.6 million payment cards then described as encrypted, 354,000 of which were unexpired in September 2018, and fewer than 2,000 15- or 16-digit values in other fields that might be unencrypted card numbers. (Marriott January 2019 update)

By the 2018 Form 10-K and March 2019 testimony, the company used approximately 18.5 million protected passport numbers, 9.1 million protected payment cards and 385,000 cards unexpired as of September 2018. It said the data could include several thousand unencrypted payment-card numbers. The annual report also recorded $28 million of 2018 incident expense, partly offset by $25 million in accrued insurance recoveries; those accounting entries measure response costs, not guest harm. (Marriott 2018 Form 10-K)

The correct presentation is therefore a set of bounded estimates, not a contest to choose the largest or latest number. It is also important to preserve uncertainty in both directions. Duplicate records make the unique-person count lower than record totals. Unknown or unrecovered files, incomplete historic telemetry and free-text fields can make precise field-level reconstruction harder.

What the ICO found, and what it deliberately did not find

The ICO penalty notice is the strongest public adjudicative record for security failures in the Starwood reservation environment. It is also narrower than many summaries imply.

First, the ICO found that Marriott, as controller, infringed GDPR Article 5(1)(f) and Article 32 by failing to process personal data with appropriate security. The decision covered May 25 to September 17, 2018. The GDPR's official text makes security risk-based: appropriate measures depend on state of the art, implementation cost, processing context and risk to people's rights and freedoms. The obligation is not a guarantee that no attacker succeeds. It is an obligation to implement and test measures appropriate to the actual data and system.

Second, the final notice identified four principal failures.

Insufficient monitoring of privileged accounts. The attacker used legitimate credentials for unauthorized activity. The ICO found that Marriott lacked appropriate ongoing monitoring of user activity, especially privileged accounts, inside the cardholder-data environment. Marriott had a security operations centre, annual penetration tests and payment-card compliance reports. The regulator concluded that those controls did not evaluate the relevant logging configurations and did not replace the need to detect abnormal use after authentication.

Insufficient monitoring of databases. Guardium logged and alerted on selected activity, but the ICO found incomplete database alerting, insufficient log aggregation and failure to log actions such as file creation and full-table export. The alert that ultimately mattered was applied to a table containing card data. Other personal-data tables lacked equivalent alerts. Payment-card sensitivity can justify stronger controls, but the regulator said it did not justify no alerting on other personal data.

Inadequate control of critical systems. The ICO found that appropriate server hardening, such as execution control or equivalent allowlisting on critical systems, could have limited reconnaissance, privilege escalation and malware execution. The decision did not prescribe allowlisting everywhere. It focused on critical devices and systems able to reach large or sensitive personal-data stores.

Failure to encrypt all passport numbers. Approximately 5.25 million passport numbers were unencrypted. The ICO found no documented risk assessment that explained why some passport numbers received cryptographic protection and others did not. Its broader point was not that every field must always be encrypted. It was that selective protection needs an evidence-based rationale and meaningful implementation.

The 2024 SHA-1 correction complicates the last finding's technical language. The penalty notice discussed AES-128 based on the record then before it. Marriott later said payment-card numbers and some passport numbers in the tables were instead protected using SHA-1. That later statement should supersede the old algorithm description for those subsets; it does not erase the ICO's finding that millions of passport numbers were left unencrypted or its conclusion that Marriott had not shown a consistent risk assessment.

The exclusions are equally important.

The ICO did not penalize Marriott for incomplete multifactor-authentication coverage. Marriott had relied on management assurances and payment-card compliance reports from 2016 and 2017 stating that MFA protected access into the segmented cardholder environment. The implementation was in fact incomplete, but after considering Marriott's representations the ICO accepted that reliance for the specific purpose before it and removed MFA from the final penalty findings. A careful account can still discuss the operational gap; it cannot call that gap one of the four final ICO infringements.

The ICO did not make a final Article 33 breach-notification finding. It rejected some of Marriott's legal reasoning about awareness but considered the limited September alert, Marriott's lack of knowledge of the table export until November 13 and decryption on November 19, then dropped the proposed finding. It also made no final Article 34 finding about communication to affected people. The regulator criticized an email that referred to a call centre without including the phone number, but accepted that the email linked to the dedicated site where the number was available.

The ICO did not decide that Marriott's pre-close due diligence was legally insufficient. It acknowledged that in-depth diligence of a competitor may be constrained and excluded pre-GDPR conduct from the decision. It did conclude that due diligence is not a one-off event and that Marriott could not continue processing under the GDPR on deficient inherited systems merely because the weaknesses predated the law or acquisition.

Finally, the £18.4 million figure should not be confused with the 2019 proposal. The final notice considered Marriott's submissions, rapid post-alert response, cooperation, absence of evidence of financial harm seen by the ICO, other mitigating factors and the impact of COVID-19. Marriott did not appeal. Its statement of no admission coexists with a final regulator decision that expressly found infringements. "No admission" describes Marriott's procedural position; it does not convert the ICO's findings into allegations.

The 2024 correction turns key management into an inventory problem

Marriott's original notice said payment-card values were encrypted with AES-128 and required two components to decrypt; at that time the company could not rule out that both were taken. The January 2019 update said there was no evidence that the attacker accessed the master key needed for protected passport numbers or either component needed for protected card numbers. In March testimony, Sorenson said Marriott had not found evidence of master-key access but could not rule it out.

Those statements framed the risk as ciphertext plus possible key compromise. Marriott's April 2024 update changed the frame: payment-card numbers and some passport numbers in the affected tables were protected with SHA-1 rather than AES-128. SHA-1 is a hash function, not an encryption scheme. NIST describes a hash as mapping data to a fixed-size digest and has been moving away from SHA-1 for cryptographic protection. (NIST hash-function overview, NIST SHA-1 transition notice)

That distinction matters. Encryption is designed to be reversible with an authorized secret or process. Hashing is normally used to produce a digest and is not "decrypted" with the master key described in the earlier notices. But the public correction does not disclose whether values were salted, keyed, truncated, tokenized in another layer, paired with lookup tables, or otherwise transformed. Nor does it identify the exact passport and card subsets to which SHA-1 applied or say whether anyone recovered the underlying identifiers from those values. It would be irresponsible to manufacture those details.

The accountability finding is narrower and still significant: five years after disclosure, the public description of a core protection mechanism changed categories. That suggests a failure of cryptographic inventory, evidence translation or both. An organization should know, per field and copy, whether data is plaintext, encrypted, tokenized or hashed; which algorithm and mode apply; where keys or secrets reside; who can invoke them; what migration state exists; and how those facts were tested.

This is especially important during acquisition. A policy document saying "sensitive fields are encrypted" is not a field-level inventory. A payment-card compliance report is not proof that every passport field in every legacy table receives the same treatment. An algorithm name in an incident notice is not reliable until investigators trace application code, schema configuration, key services, stored values and historical versions.

Good key management also cannot compensate for uncontrolled use by an authorized application. If an attacker controls a privileged account or database process that can request plaintext, encryption at rest may offer little protection during live queries or export. The ICO made this point indirectly: MFA at the outer boundary did not remove the need for logging inside, and encryption depended on meaningful architecture and key management. Controls must be layered around use, not merely attached to storage.

Data in the United States remained governed by people and law elsewhere

Marriott's first notice said the Starwood guest reservation database was in the United States. The records were global. The ICO counted 30.1 million records associated with EEA states and 7 million associated with the UK. The states later used 131.5 million US-associated records. Physical database location therefore answered one question: where a particular system operated. It did not answer who the people were, which establishments processed their data, which authorities had jurisdiction, or which hotel, franchisee, service provider and corporate team could access it.

Data sovereignty and locality should be separated into at least four layers.

Storage locality is where primary databases, replicas, backups, export files, logs and forensic copies reside. The public record identifies the reservation database as US-based but does not provide a complete map of every copy or backup.

Access locality is where users, services and administrators can exercise authority over the data. Accenture managed the database; Starwood and Marriott operations spanned many countries; hotel and contact-centre processes fed the reservation system. A database can remain on US hardware while privileged access and operational decisions cross borders.

Legal locality follows people, establishments, processing and applicable law, not only racks. The ICO acted as lead supervisory authority for cross-border processing under the GDPR cooperation mechanism. US states asserted their own consumer-protection and personal-information laws. A central database can therefore accumulate a distributed legal perimeter.

Business locality is where the record has meaning. Arrival dates, companions, VIP status, airline and hotel location are tied to a traveller's movement and relationships. Centralizing them may support global service, but it also creates a concentrated description of activity across jurisdictions.

Marriott's current global privacy statement says international transfer is essential to its global service, that data may move to countries with different protection standards and that approved transfer mechanisms are used where appropriate. It also states purpose- and law-based retention criteria. (Marriott Group Global Privacy Statement) That is useful evidence of the present governance model, not proof of the 2014-2018 Starwood architecture or historical compliance.

The lesson is not that global reservation data must always remain in the traveller's country. The evidence supports a more practical rule: a global controller needs a record-level map connecting purpose, person, source, storage, access, transfer mechanism, retention, security controls and responsible legal entity. Without that map, "the database is in the United States" becomes a location fact presented as if it were a governance answer.

The exposed record lowered the cost of convincing contact

Payment cards and passports draw immediate attention because they are familiar identity and financial instruments. The Starwood tables also contained a quieter source of harm: the ingredients for credible contact.

An ordinary phishing message pays a credibility tax. The sender must persuade the recipient that the message concerns a real relationship, event or transaction. A reservation dataset can reduce that cost. A message can name a hotel brand, approximate stay, loyalty relationship, arrival window, destination, companion context, communication preference or flight. Contact details provide the route; travel details provide the pretext; status and preference fields help select the tone.

This is abuse-contact economics. The record does not need to let an attacker directly open a bank account to be useful. It can make the next request cheaper to personalize and harder for the recipient to dismiss. CISA defines spearphishing as targeting an individual with key information about that person. (CISA phishing guidance) The FTC's Marriott consumer alert warned that scammers might exploit the breach announcement itself by impersonating Marriott and directing recipients to false sites. (FTC Marriott breach advice)

The database combined several abuse paths:

  • A name, email and phone number reduce discovery cost and enable channel switching from email to text or voice.
  • Reservation and stay details provide a plausible service problem, refund, invoice, loyalty adjustment or security-warning story.
  • Arrival, departure, airline and location data can make urgency feel contemporaneous.
  • Loyalty identifiers create a second asset class: points, account access and a long-lived customer relationship.
  • Passport numbers and dates of birth can strengthen impersonation attempts or provide verification fragments, even though a passport number alone is not a physical passport.
  • VIP status, employer or preference context can help prioritize targets or tailor executive-style contact.
  • Companion and child counts can expose relational context that the affected person did not expect to be used outside hospitality operations.

These are plausible abuse mechanisms supported by the fields and general fraud guidance. They are not proof that a named campaign used the Starwood records. In March 2019, Sorenson testified that Marriott had not received substantiated fraud-loss claims attributable to the incident and had not found the affected tables offered for sale in its monitoring. The ICO later said it had not seen evidence of financial harm. The FTC complaint, by contrast, alleged that the detailed records caused or were likely to cause substantial injury, including phishing, identity misuse and the burden of monitoring and replacing credentials. The difference is partly legal posture and partly time: absence of observed misuse is not proof of no exposure, but likely harm is not proof of a completed fraud.

Contact economics also affects notification. Marriott needed to email affected guests, but the very existence of a widely publicized notification campaign created a pretext for impostors. The company's real notices had to be distinguishable, multilingual and reachable through independently verifiable channels. The ICO's discussion of the omitted call-centre number shows that notification quality is a security control, not a public-relations accessory.

The longer-term remedy is data minimization. If a field is no longer needed for service, law, fraud prevention or a defined operational purpose, retaining it preserves an attacker subsidy. The FTC's final order requires a retention policy tied to the purpose of collection and the specific business need, a deletion route for US consumers, and limits on using deleted information for marketing. The order turns reduced abuse surface into a governance obligation.

Three enforcement records, three different kinds of accountability

The ICO penalty, state settlement and FTC order should not be blended into one undifferentiated fine.

The ICO penalty is a final administrative decision finding GDPR infringements for a defined 2018 period. It imposed £18.4 million. Marriott did not appeal but said it admitted no liability. The finding, penalty calculation and exclusions are contained in a 91-page notice.

The multistate settlement resolved state allegations and required a $52 million payment. Connecticut's announcement says the coalition alleged violations of consumer-protection, personal-information and, where applicable, breach-notification laws. It requires a comprehensive information-security program, zero-trust principles, asset inventory, hardening, encryption, segmentation, patching, monitoring, vendor and franchisee oversight, consumer deletion and loyalty protections, acquired-entity assessment, and biennial independent reviews for 20 years. (Connecticut attorney general settlement announcement) The entered judgments state that Marriott does not admit a violation or liability; the settlement payment is not a trial verdict for each affected person. (Vermont final judgment)

The FTC matter is an administrative consent proceeding. The complaint alleges deceptive security representations and unfair security practices across the earlier Starwood point-of-sale breach, the Starwood reservation breach and a later Marriott credential incident disclosed in 2020. Allegations in the complaint should be identified as allegations. The final decision and order is binding regardless of whether every allegation was tested in court.

The FTC final order requires a written security program, annual and post-incident risk assessments, board reporting, active review of logs within 24 hours, controls over valid-credential misuse, least privilege, multifactor authentication, configuration hardening, asset and personal-data inventory, encryption or equivalent protection decisions, patch management, segmentation and penetration testing, vendor controls, franchisee oversight, incident reporting, CEO certification and independent assessments every two years for 20 years.

One provision makes the acquisition lesson explicit. After Marriott closes an acquisition of an entity processing personal information, it must assess whether the acquired entity's program complies with the order, create a plan and timeline for gaps, and address deficiencies in acquired IT assets before using them as Marriott production assets. This does not require omniscience before close. It requires controlled admission to production after close.

The order also gives US consumers a deletion request path tied to email address or loyalty account number and requires Marriott to review suspected unauthorized loyalty activity and restore points when it determines third-party unauthorized activity caused a reduction, subject to the order's terms. The FTC's consumer explanation makes those remedies easier to see than the legal document.

Enforcement does not prove present control effectiveness. An order specifies duties; an assessor tests implementation; a certification allocates responsibility. Public readers still do not have the independent assessment reports, detailed exception registers or field-level cryptographic inventory. Marriott's 2025 annual report says the resolutions create long-term requirements and that noncompliance could lead to further enforcement. It also describes a board Technology and Information Security Oversight Committee and continuing cyber-risk processes. Those are governance structures and company representations, not a public assurance opinion.

Private litigation adds another accountability route but not a clean liability verdict. The 2025 Fourth Circuit decision turned on the enforceability of a class-action waiver in the loyalty terms. Decertification changes how claims may be aggregated; it does not decide whether security was reasonable, whether a particular person suffered loss or whether every individual claim fails. Marriott's latest annual report says it disputes the allegations and that proceedings continued as of year-end 2025.

A post-acquisition control scorecard

The useful board question is not "Did diligence happen?" It is "Which inherited claims have been independently converted into operating evidence?"

Control question Public evidence in the Marriott-Starwood record Evidence a responsible owner should be able to produce
What incidents and weaknesses predate closing? Starwood disclosed a separate point-of-sale breach four days after the deal announcement; FTC later alleged Marriott reviewed its causes. Signed incident lineage, open remediation items, forensic scope, disputed facts and post-close validation plan.
Which identities survive the transaction? The reservation attacker used privileged and user credentials; Accenture credentials appeared in later activity. Complete privileged, service, vendor and dormant-account inventory; reissuance or rotation evidence; owner and expiry for every exception.
Can the acquired environment detect behavior after valid login? ICO found insufficient privileged-user and database monitoring despite a SOC, SIEM and compliance assessments. Log-source coverage, activity baselines, export alerts, tested use cases, retention and measured analyst response.
Can one process export an entire sensitive table? Dump-file exports were central to the incident; only selected tables generated Guardium alerts. Database activity-monitoring policy, bulk-export thresholds, dual authorization, egress controls and exercises proving alerts reach responders.
Are critical systems hardened against malware and reconnaissance? ICO found inadequate critical-system control and identified allowlisting or equivalent hardening as appropriate. Configuration baselines, enforcement coverage, exception aging, drift detection and attempted-bypass tests.
What does "encrypted" mean for every field? Millions of passport numbers were plaintext; in 2024 Marriott corrected AES-128 descriptions to SHA-1 for cards and some passports. Schema-level classification, method and version, salt or key architecture where applicable, cryptographic owner, rotation and migration evidence.
Does separation actually reduce risk? Legacy Starwood systems remained separate from the wider Marriott network, limiting access to non-Starwood data but not protecting Starwood records. Tested trust paths, egress restrictions, administrator boundaries, monitoring on both sides and explicit integration gates.
Can the organization count people, not only rows? Public totals moved from 500 million guests to 383 million records and then other proceeding-specific populations. Deduplicated identity logic, data lineage, confidence intervals, per-person field mapping and rehearsed notification datasets.
Where is each record governed? A US database held global records; ICO, US states and other authorities had interests. Storage and backup locality, access geography, legal entity, transfer mechanism, data-subject region and regulator map.
Is retirement a security program or only a migration date? Marriott ended business use of the Starwood database in December 2018. Decommission plan covering copies, interfaces, accounts, secrets, hardware, legal holds, backups and destruction attestations.
Can a future acquisition enter production without inherited gaps? FTC and state orders now require post-acquisition assessment and remediation planning. Go-live criteria, risk acceptance signed at the right level, compensating controls, deadlines and independent closure testing.
Can outsiders verify remediation? FTC requires biennial independent assessment and CEO certification; reports are not generally public. Regulator-ready evidence and, where safe, public aggregate metrics on coverage, exceptions, findings and closure.

This scorecard does not assume that every control was absent everywhere. It translates documented failure modes into proof questions. That is a more demanding standard than a policy checklist because it asks whether inherited systems behave as management believes they do.

Accountability belongs where practical control changes

The unknown intruder or intruders are responsible for unauthorized entry, persistence and export. That responsibility should not be reassigned to the victim organization merely because regulators examine safeguards. Corporate accountability addresses a different question: who controlled the conditions that made access harder to prevent, detect or contain, and who controlled the response?

Starwood controlled the environment at initial compromise. Marriott did not. Starwood also carried the earlier point-of-sale security history into the transaction. These facts matter when reconstructing causation.

Marriott controlled the acquired company after September 2016. It chose to continue the Starwood reservation platform during migration, even for understandable continuity reasons. It controlled the pace and conditions of security enhancement, integration and retirement. The ICO's legal findings begin later, on May 25, 2018, but operational control began at close.

Accenture managed the reservation database and elevated the Guardium alert. Public records also identify compromised Accenture credentials. Those facts establish an important service-provider role, not a complete allocation of contractual or legal fault. The private litigation included claims against Accenture, but this article does not treat unresolved allegations as judgments.

Boards and senior management controlled risk acceptance and evidence demands. Sorenson said he learned of the RAT on September 17 and the board was told the next day. The later FTC order now requires annual board visibility and incident reports, while CEO certification creates a direct accountability channel. Governance is not the board operating a SIEM; it is the board requiring evidence that high-consequence inherited risks have owners, deadlines and verified closure.

Regulators controlled different remedies. The ICO applied a cross-border data-protection framework and issued a reasoned penalty. State attorneys general obtained money, consumer rights and detailed safeguards. The FTC imposed a long-lived program and assessment regime but said it lacked authority to obtain a civil penalty in that case. Different legal powers produce different accountability outputs.

Guests controlled almost none of the pre-breach conditions. They could not inspect logging coverage, know that passport fields had inconsistent protection, see that an attacker used privileged credentials or choose whether the legacy system remained live. Post-breach monitoring, card replacement and phishing caution shift work to them. Deletion and loyalty-review rights help, but they arrive after the organization chose the data architecture.

What can be concluded, and what remains outside the public record

The public evidence supports a firm conclusion that the Starwood reservation environment remained compromised across the acquisition and that Marriott did not detect the intruder for nearly two years after close. It supports the ICO's four GDPR findings for the defined 2018 period. It supports the fact of large, mixed global record populations, the 2024 US settlements and the resulting enforceable safeguards.

It does not identify the attacker through a public criminal judgment. News reports have carried state-actor theories, but the reviewed official records describe an unknown attacker or malicious actors. Attribution should remain unclaimed absent a public charging document or equivalent authoritative evidence.

It does not show exactly which initial vulnerability was exploited, every host reached, every file removed or every person whose data was accessed. It does not disclose the full Verizon forensic report, payment-card forensic report, independent compliance assessments or complete historic log set.

It does not establish that every affected guest suffered fraud, that no guest suffered harm, or that every data combination had equal value. Marriott's 2019 observation of no substantiated attributable fraud and the ICO's lack of observed financial harm are evidence. So are the inherent impersonation and targeted-contact risks recognized by the FTC. The honest conclusion preserves both.

It does not tell the public enough about the SHA-1 implementation to estimate recoverability of specific card or passport values. The correction establishes misclassification of the protection method, not the missing configuration details.

It does not prove that the present Marriott program is ineffective. Nor do policies, committees, spending, regulatory settlements or a decommissioned database prove that all successor controls are effective. That question belongs to operational testing and independent assessment.

The merger lesson is ownership of uncertainty

The strongest lesson from Marriott and Starwood is not that companies should abandon acquisitions involving legacy technology. Nearly every large transaction carries unknown systems, uneven records and inherited exceptions. Nor is the lesson that continuity should be sacrificed to retire every acquired platform immediately. Moving 1,270 hotels while preserving reservations was a real operational constraint.

The lesson is that uncertainty itself becomes an owned risk at close. A buyer can acknowledge limited pre-close access without accepting indefinite post-close ambiguity. It can isolate an inherited network without mistaking isolation for security. It can maintain a legacy database temporarily without giving it temporary standards. It can rely on compliance reports while testing the controls those reports do not cover. It can describe cryptography only after tracing the actual field-level implementation.

The Starwood database contained a business model in miniature: identity, contact, loyalty, payment and movement assembled to make hospitality work across borders. That same assembly made abuse more economical and legal accountability more distributed. Its physical location in the United States did not localize the people, harms or duties. Its inherited status did not suspend the controller's obligations.

The 2024 FTC order now writes the acquisition principle in enforceable language: assess the acquired entity after closing, plan against identified gaps and address deficiencies before acquired assets enter Marriott production. That rule is narrower than omniscience and stronger than diligence theatre. It asks the owner to convert representations into evidence before trust expands.

Marriott bought Starwood's brands, hotels, loyalty relationships and systems. It also bought the burden of discovering what those systems were actually doing. The breach record shows how expensive the distance between architectural belief and operational truth can become. Accountability begins by closing that distance before the next alert has to do it.