M&A Security Series: Lessons learned from Equifax and Marriott data breaches (Part 2)

Any press is good press only applies to celebrities and politicians. When it comes to the security of your personal data by an organization, bad press is bad press—and the fury of the public and audit agencies will hit that orgs bottom line.

As you recall from Part 1 of my mergers and acquisitions security series, I highlighted a few key security mistakes organizations make during an M&A IT integration. In Part 2, I will focus on two headline grabbing examples that expose the M&A IT integration security failures of major corporations.

Lessons from the Marriott data breach

When Marriott International purchased Starwood Hotels, the CEO predicted the combined hotel chain would realize $200 million in annual cost synergies. Back-office and operational efficiencies would deliver most of this value.

But Marriott failed to do two major things during their acquisition – perform a cybersecurity analysis of Starwood systems and put in place protective measures around their data while they vetted the security of the acquired environment.

The overall market estimate of the Marriott data breach is upwards of $3.5 billion – BILLION! That includes the recent $124 million ICO’s GDPR fine1, potential U.S. Securities and Exchange Commission prosecution, litigation costs, and loss of customer trust.2

A recent announcement from the UK’s Information Commissioner’s Office (ICO), cited Marriott’s lack of security due diligence and failure to secure its systems during the acquisition:

“The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making an acquisition.”

– Elizabeth Denham, Information Commissioner1

The very vehicle by which they expected to see $200 million in annual savings is the very one costing them up to $3.5 billion!

The lessons here – do not skip or rush cybersecurity due diligence before a deal closes AND maintain CONSTANT VIGILANCE even after the deal is in place to monitor for suspicious behavior. Trust takes time, and trust in someone else’s cybersecurity hygiene requires monitoring and protecting your own data during the process.

Lessons from the Equifax data breach

The Equifax data breach at first glance doesn’t appear to have anything to do with M&A activity. It looks more like poor patching and monitoring – and, yes, it was that. The U.S. House of Representatives Committee on Oversight and Government Reform said in a report that the breach that exposed the personal information of 148 million Americans was “entirely preventable” had they put in place adequate preventative security measures. They failed to patch their systems when vulnerabilities were announced and they stored PII data on legacy, sub-par systems.3

Dig deeper into the U.S. House report and you’ll quickly find that this perfect storm was created in large part due to their aggressive acquisition spree. Equifax acquired eighteen companies, making it one of the largest private credit-tracking firms in the world and quadrupling its market value. But their acquisition appetite came with a big belly-ache.

“While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks.”

– U.S. House Report

Graeme Payne, Senior Vice President and Chief Information Officer, said Equifax had grown significantly over the last ten years with a number of acquisitions and integrations adding to the complexity of the technology situation, making the application of security methodologies and tools even more challenging.

Complexity breeds risk! Failing to modernize legacy applications AFTER the major M&A activities are over is a major omission many organizations make. Modernizing and re-architecting legacy applications is part of the law of diminishing returns – all that effort and work doesn’t appear to add immediate value to the business.

So organizations create workarounds and leave up old Active Directories for years, forgetting about them, failing to patch them, not monitoring them, and creating all sorts of loopholes and backdoors that are ripe for threat actors to exploit.

The lesson here – don’t forget to modernize your legacy applications after the big rush of M&A activity is finished or you too could be in a data breach scenario that was “entirely preventable.”

Learn more about security pitfalls during an M&A in this e-book: How mergers and acquisitions impact data security

Reduce your AD attack surface

Reduce your AD attack surface.

See where you’re exposed and how to remediate it.

Repeatable M&A framework

We know IT integrations of an M&A aren’t easy or small. While each M&A is different, the methodology doesn’t change. Your chance of success for an M&A is much higher when you implement repeatable processes.

Quest offers a complete and repeatable software and services framework for M&As from Day 0 IT Due Diligence, to Day 1 IT integration and Day 2 ongoing management and security.

Don’t complicate your M&A IT integration further by using multiple products from multiple vendors. Standardize on a partner with the tools and expertise to offer a multitude of flexible approaches for Day 1. Quest delivers a repeatable framework that allows you to become familiar with a set of solutions, and a single support and services team.


  1. Information Commissioner’s Office, “Statement: Intention to fine Marriott International, Inc. more than £99 million under GDPR for data breach,” July 2019.
  2. ZDNet.com, “Marriott faces massive data breach expenses even with cybersecurity insurance,” November 2018.
  3. U.S. House of Representatives Committee on Oversight and Government Reform, Majority Staff Report, “The Equifax Data Breach,” December 2018.

How mergers and acquisitions impact data security

Before your next M&A IT integration, learn how to avoid M&A IT integration missteps and protect yourself from security breaches.

Download the Guide

About the Author

Jennifer LuPiba

Jennifer LuPiba is the Chair of the Quest Software Customer Advisory Board, engaging with and capturing the voice of the customer in such areas as cybersecurity, disaster recovery, management and the impact of mergers and acquisitions on Microsoft 365, Azure Active Directory and on-premises Active Directory. She also writes thought leadership articles and blogs aimed at the c-suite to evangelize the importance of these areas to their overall business. She chairs The Experts Conference, a yearly event focused on pure Active Directory and Office 365 training at the 300 and 400 level for the boots-on-the-ground Microsoft admins and managers.

Related Articles