Forensic investigation determined attackers had been present in Starwood's reservation database since at least 2014. Marriott completed the Starwood acquisition in September 2016. The intrusion persisted for over four years in total before discovery.

Approximately 339 million unique guest records were exposed, including approximately 5.25 million unencrypted passport numbers, 20.3 million encrypted passport numbers, encrypted payment card details, travel itineraries, and personal contact information.

US and UK intelligence agencies attributed the breach to APT10 (Stone Panda), a threat actor assessed to be operating under the direction of China's Ministry of State Security. The Washington Post and Reuters reported the attribution citing US officials. The Chinese government denied involvement.

Marriott's $13.6 billion acquisition of Starwood in 2015-16 did not include cybersecurity due diligence sufficient to detect an ongoing intrusion. Critics and the ICO noted this as a systemic failure of corporate acquisition practice in the technology sector.

The UK's Information Commissioner's Office issued an initial fine of £99.2 million in July 2019 under GDPR Article 83. Following representations from Marriott — citing COVID-19's economic impact and the company's cooperation — the ICO reduced the fine to £18.4 million in October 2020.

After completing the Starwood acquisition, Marriott did not promptly migrate Starwood's reservation systems to its own infrastructure. The Starwood Reservation Database continued to operate as a separate legacy system, deferring the security review that would have been required in a migration.

Privacy advocates and data protection specialists criticised the ICO's reduction of the fine from £99.2M to £18.4M, arguing it weakened the deterrent effect of GDPR enforcement and sent a poor signal about accountability for large-scale breaches involving acquisition due-diligence failures.

Marriott notified the ICO within the 72-hour GDPR breach notification requirement. This compliance with notification rules was cited in the ICO's subsequent proceedings as a mitigating factor alongside Marriott's cooperation with the investigation.

Cyber-security due diligence in major corporate acquisitions was not standardized practice in 2015-2016 when Marriott acquired Starwood. The gap was a known industry problem — acquirers routinely inherited legacy security vulnerabilities without discovering them pre-close. Post-Marriott, M&A cybersecurity diligence became a standard practice area. This trajectory — problem identified, industry practice changes — is consistent with systemic learning, not with evidence that Marriott knew of the breach during acquisition and concealed it.

The attribution of the Marriott Starwood breach to APT10 (Stone Panda), a Chinese state-sponsored threat actor, reflects consensus findings from Marriott's forensic investigators (FireEye/Mandiant), UK NCSC, and US IC community assessments. The UK ICO's finding of inadequate security — resulting in a fine — and the subsequent US DOJ indictment of APT10 members for related campaigns both occurred through transparent legal and regulatory processes. The breach's state-actor attribution is one of the more robustly documented in commercial cyber-espionage history.

Forensic investigation determined attackers had been present in Starwood's reservation database since at least 2014. Marriott completed the Starwood acquisition in September 2016. The intrusion persisted for over four years in total before discovery.

Approximately 339 million unique guest records were exposed, including approximately 5.25 million unencrypted passport numbers, 20.3 million encrypted passport numbers, encrypted payment card details, travel itineraries, and personal contact information.

US and UK intelligence agencies attributed the breach to APT10 (Stone Panda), a threat actor assessed to be operating under the direction of China's Ministry of State Security. The Washington Post and Reuters reported the attribution citing US officials. The Chinese government denied involvement.

Marriott's $13.6 billion acquisition of Starwood in 2015-16 did not include cybersecurity due diligence sufficient to detect an ongoing intrusion. Critics and the ICO noted this as a systemic failure of corporate acquisition practice in the technology sector.

The UK's Information Commissioner's Office issued an initial fine of £99.2 million in July 2019 under GDPR Article 83. Following representations from Marriott — citing COVID-19's economic impact and the company's cooperation — the ICO reduced the fine to £18.4 million in October 2020.

After completing the Starwood acquisition, Marriott did not promptly migrate Starwood's reservation systems to its own infrastructure. The Starwood Reservation Database continued to operate as a separate legacy system, deferring the security review that would have been required in a migration.

The attribution of the Marriott Starwood breach to APT10 (Stone Panda), a Chinese state-sponsored threat actor, reflects consensus findings from Marriott's forensic investigators (FireEye/Mandiant), UK NCSC, and US IC community assessments. The UK ICO's finding of inadequate security — resulting in a fine — and the subsequent US DOJ indictment of APT10 members for related campaigns both occurred through transparent legal and regulatory processes. The breach's state-actor attribution is one of the more robustly documented in commercial cyber-espionage history.

Privacy advocates and data protection specialists criticised the ICO's reduction of the fine from £99.2M to £18.4M, arguing it weakened the deterrent effect of GDPR enforcement and sent a poor signal about accountability for large-scale breaches involving acquisition due-diligence failures.

Marriott notified the ICO within the 72-hour GDPR breach notification requirement. This compliance with notification rules was cited in the ICO's subsequent proceedings as a mitigating factor alongside Marriott's cooperation with the investigation.

Cyber-security due diligence in major corporate acquisitions was not standardized practice in 2015-2016 when Marriott acquired Starwood. The gap was a known industry problem — acquirers routinely inherited legacy security vulnerabilities without discovering them pre-close. Post-Marriott, M&A cybersecurity diligence became a standard practice area. This trajectory — problem identified, industry practice changes — is consistent with systemic learning, not with evidence that Marriott knew of the breach during acquisition and concealed it.