Marriott 2018: $350M+, the M&A integration breach.

Starwood's guest-reservation system was compromised in July 2014 by an actor that the UK ICO subsequently described as "sophisticated" (widely reported to be Chinese state-affiliated). The attacker maintained persistent access to the Starwood reservation database, exfiltrating data on an ongoing basis for over four years. The intrusion was not detected by Starwood prior to the September 2016 closing of the $13.6 billion acquisition by Marriott. The intrusion also was not detected by Marriott during the post-merger integration period from September 2016 through September 2018, when Marriott was actively migrating Starwood systems onto Marriott infrastructure.

Detection occurred on 8 September 2018 through an internal security tool that flagged an unusual query against the Starwood guest-reservation database. The internal investigation that followed confirmed the breach within days. Marriott's public disclosure followed on 30 November 2018, an 83-day delay that the UK ICO subsequently characterised as reasonable given the investigation complexity but that the SEC later flagged as the kind of timing decision the post-2023 Item 1.05 rule was designed to address.

The pre-merger due diligence did not include any active security testing of the Starwood reservation infrastructure. Marriott had relied on representations and warranties in the merger agreement plus generic IT-systems due diligence. The case has since been cited extensively in mergers and acquisitions cybersecurity playbooks, with active pre-close penetration testing now a standard component of due diligence for any acquisition of meaningful scale.

The class-action multidistrict litigation in the District of Maryland remains unresolved as of mid-2026, with a settlement widely expected in the $50M-$150M range based on comparable cases. Final cost will likely exceed $400M when all components settle.

The UK ICO's initial Notice of Intent published in July 2019 indicated a proposed penalty of £99.2M ($124M at the then-prevailing exchange rate). The final monetary penalty notice issued 30 October 2020 reduced the penalty to £18.4M. The 85% reduction reflected three factors: representations from Marriott about the cooperation provided to the ICO investigation, the COVID-19 economic impact on the hospitality sector, and the steps Marriott had taken to mitigate the breach impact.

The Marriott penalty was issued in parallel with the British Airways penalty (reduced from £183M proposed to £20M final), both representing the first major GDPR enforcement actions by the ICO. The aggressive proposed penalties followed by substantial reductions on appeal set an expectation that ICO proposed-vs-final ratios would run 70-90% reduction. This expectation has been broadly borne out in subsequent ICO actions, though the post-2023 ICO has signaled an intent to reduce the gap between proposed and final penalties.

The substantive ICO findings were that Marriott had failed to undertake sufficient due diligence when it acquired Starwood, and had failed to implement adequate security measures to detect the compromise after the acquisition. The ICO specifically noted that Marriott's use of legacy Starwood IT infrastructure for two years post-merger was the proximate cause of the prolonged exposure.

Marriott's pre-merger due diligence on Starwood's cybersecurity posture was substantively limited to: representations and warranties in the merger agreement, review of Starwood's most recent SOC 2 attestation, review of Starwood's PCI DSS Report on Compliance, and discussion with Starwood's senior IT and security leadership. No active penetration testing of the reservation infrastructure was conducted as part of due diligence. The deficiency of representations and warranties as a substitute for active testing was the core lesson.

Post-Marriott, active pre-close penetration testing has become standard for acquisitions above approximately $100M in deal size in regulated industries, and increasingly standard for unregulated industries as well. The cost of pre-close active testing typically runs $200K-$1M depending on scope, a trivial fraction of typical deal size. The expected reduction in post-merger cyber-incident exposure justifies the investment with substantial margin even when no findings emerge.

The deal-financing community has internalised the lesson as well. By 2022, mid-market private-equity firms had largely adopted cybersecurity due diligence as a standard pre-close workstream, with several major firms maintaining permanent cybersecurity-diligence retainers with specialist firms. The post-Marriott shift in deal practice is likely the largest single behavioral change attributable to a specific breach in the M&A market.

The exposure of 327M passport numbers in the Marriott breach was unusual. Most data breaches expose SSNs, credit-card numbers, or email-and-password combinations; passport-number exposure at this scale was unprecedented. Marriott offered affected guests free WebWatcher monitoring through Kroll for one year, plus reimbursement for the cost of replacing passports. The passport-replacement reimbursement carried a per-claim value of approximately $145 in the US (the State Department fee), with reduced cost in jurisdictions that have lower passport fees.

Per-class member effective compensation for the credit-monitoring and passport-replacement components combined was approximately $150-$200 for class members who claimed both. Compared to the typical $30-$80 per-class-member compensation in healthcare breaches, the Marriott settlement value was relatively generous on a per-class basis, reflecting the higher unit cost of passport-replacement remediation. Total class-action reserve has been disclosed but not crystallised because the multidistrict litigation continues.