Me again. Marriott is on everyone's minds today, but it's not Bonvoy that's doing it. If you haven't heard it yet, Marriott was fined $124M US by the IOC for GDPR violations resulting from their breach.
Here's the thing: they inherited that breach from the Starwood Alliance. It wasn't Marriott who suffered the breach, but their acquisition.
Remember Colin Powell's "Pottery Barn" aphorism? "You break it, own it"? This is a variation on a theme. You buy it...you own it.
The US, and the world, are M&A crazy right now. Companies are spinning off business units and selling them to others, or acquiring smaller startups and competitors, or giants are combining in hopes of maintaining their advantage in the marketplace.
The issue today is that security issues generally aren't included in the due diligence of those transactions.
I think that's about to change, partly because of today's ruling; organizations might be able to weather the bad press, but there will be consequences. There will be more attention paid to the Infosec posture and stability on both sides of the transaction, where in the past IT and Infosec organizations were just told to make it work after the deal's been inked.
Again, it's going to come back to visibility. Seeing the anomaly and knowing what your (and your new partner's) application environment looks like will become--had better become--as much a part of M&A due diligence as dotting the fiduciary i's has been in the past.
"Before Marriott and Starwood even began talks around the acquisition, hackers stole roughly 500 million Starwood customer records, including payment information. Without conducting a thorough due diligence process, Marriott unknowingly inherited Starwood’s vulnerabilities. When the incident came to light in 2018, the result was negative press for Marriott resulting in reputational harm, new legal liability and a decline in share price.