Marriott International's efforts to acquire Starwood Hotels and Resorts Worldwide — combining two major hotel chains that have suffered data breaches — should force both chains to reexamine the way they handle sensitive payment card data.
Last week, Starwood said it agreed to a $13.6 billion bid from Marriott, a figure Marriott threw into the mix after China's Anbang Insurance Group had topped Marriott's original $12.2 billion offer. A counteroffer was expected, and Starwood reported March 28 that Anbang upped the ante to an all-cash deal at $14 billion.
Regardless of how this deal turns out, it stands as a perfect example of the minefield of mergers and acquisitions in the modern world, particularly in terms of data security.
"All large enterprises not only need to protect themselves, but know how to react to breaches as well," said Steven Grossman, vice president of product management for Bay Dynamics, a cyber risk analytics company focusing on insider and third-party vendor threats.
As a company conducts its due diligence for an acquisition, it must understand the other company's security standards and practices, as well as how previous breaches occurred and were resolved, Grossman said.
In this particular case, it is not clear if Marriott was aware that Starwood was dealing with a data compromise. In November of 2015, Starwood reported a data breach that covered an eight-month time frame and affected credit and debit card data at 54 locations. That breach occurred from November 2014 to April 2015, and Starwood revealed it just days after Marriott made its initial offer to acquire the chain.
In February 2015, Marriott informed its customers that a breach lasting seven months affected some of its hotels (which were later reported to be operated through franchise operator White Lodge Services).
Both the Starwood and Marriott incidents were attributed to malware infecting the hotel point of sale terminals either at front desks or in the hotel bars or restaurants. Marriott did not respond to inquiries prior to deadline.
"Risk management is all about understanding where risk factors are and reacting to those exposures," Grossman said. "If you understand where they are, you can decide to mitigate and fix them, or accept them and take the risk as part of the acquisition."
In some cases, a company acquiring another will offer mitigation through another party and establish insurance coverage for the future, he added.
In transactions of this size, it is vital to make sure no major exposures exist that will impact the value of the company through lawsuits, regulatory actions, lost revenue or tarnished reputations, Grossman said.
Even after an acquisition, the chief information security officer becomes "the quarterback of the whole thing" in assessing security of the merged network and making sure everyone from the front desk of the hotel to top management understand the security policies and procedures, Grossman said.
Marriott and Starwood also cannot downplay the potential of insider threats, as numerous employees with access to key information and networks may lash out if they worry their jobs will be at risk in the aftermath of a merger, Grossman added.
On top of that, hotels are also vulnerable to the third-party vendor problems like those that affected Target and Home Depot in recent years.
"Vendors have a lot of access to data and the company needs to be able to identify when someone is in the network doing something they shouldn't be doing," Grossman said.
Hotels also have to deal with the fact that their networks present opportunities for cyber thieves. Security experts point to the connections and gateways that function within retail or service business networks as weak spots criminals will target.
"It's a complex integration process, even if it were just the regular product development life cycles in the hotel network, as those tend to open up unwitting holes for criminals," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
When networks merge, it becomes a full-scale IT project, Conroy said. "Now, more than ever, internal security experts have to have a seat at the table [in acquisition negotiations]," Conroy added. "If not being front and center from the start of the process."
A hotel's handling of card data has always been a concern in the security industry because of the amount of time — most often the length of a visitor's stay — that the data stays in a system.
"It really depends on the software the hotel is using [as to how long data sits in the system]," Conroy said. "[The Payment Card Industry data security standard] says the data has to be in some type of tokenized or encrypted form, but that doesn't mean everyone is doing that."