Reports on the Marriott guest data breach have suggested the most probable cause was a result of the technology platform deployed by Starwood under the name “Valhalla.”

As the senior vice president of technology solutions at Starwood Hotels & Resorts from 2001 to 2006, I worked on Valhalla and wrote about Marriott’s decision not to use it moving forward in 2016.

Get a dose of digital travel in your inbox each day Subscribe to our newsletter below Submit I accept the Terms and Conditions and Privacy Policy





While some breaches might be due to architectural or design weaknesses, most are due to operational or human factor causes.

The Valhalla system was fully activated in 2009, and my understanding is that all best practices were followed in its design (firewalls, DMZs, encryption, etc.).



The fact is, if we accept Marriott’s statement that the breach began in 2014, the system would already have been operating securely for five years.

It is difficult to imagine how an architectural or platform vulnerability would not have been discovered or exploited sooner.

Fact vs. fiction

One of the stumbling blocks in trying to determine what might have occurred is Marriott’s announcement, which is not very detailed.

Some facts are in order:

Following standard architectures, the Starwood system would consist of multiple databases and sub‐systems. The most relevant to the discussion are the SPG System with its SPG members database, the actual reservation system where active bookings are kept, and a Data Warehouse used for analytical and marketing purposes.

It is known that soon after Marriott took control of Starwood, they began to migrate the Starwood Data Warehouse to Marriott. From a purely business perspective this makes sense, since one of the most valuable and rapidly actionable Starwood assets would have been its historical booking records. Marriott would surely have wanted access to the wealth of Starwood guest data as soon as possible for its own marketing purposes.

As for what we publicly know, the Marriott announcement alleges the following:

That the data security incident involved the Starwood guest reservation database. Marriott believes information regarding approximately 500 million guests who had ever made a reservation at a Starwood property had been stolen. That Marriott’s discovery of the breach was triggered on September 8, 2018, when Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott further announced that they learned during the investigation that there had been unauthorized access to the Starwood network since 2014. That some information included encrypted payment card numbers and payment card expiration dates. There are two components needed to decrypt the payment card numbers, and that at this point, Marriott has not been able to rule out the possibility that both were stolen.

Regarding the first point, Marriott seems to suggest the breach was made in the reservation system.

However, it is unlikely this system would have had 500 million records, given the practice to remove booking records a number of days after checkout.



Even assuming half a million rooms in Starwood’s inventory at 90% occupancy, with average lengths of stay of two days, and up to two years of advance booking, such a database would not exceed 200 million records.

As for the SPG database, it would contain one record from each SPG member, but not even under the most optimistic scenarios would Starwood have had 500 million registered SPG guests.

Clues elsewhere

This leaves the Data Warehouse. The Data Warehouse would contain the booking records for several prior years, and it clearly could contain 500 million records. This is most likely the area from which the data was stolen.

However, given that some of that data had already been migrated to Marriott, it is hard to say for certain whether the breach occurred in the Starwood system, the Marriott system, or in transit as a result of exposure during the Extract‐Transform‐Load process used during the migration.



The second point appears to indicate Marriott first detected the issue back in September of this year (presumably by using a traffic detection tool).

It is almost impossible to imagine a scenario in which an external hacker is able to gain access to the primary encryption keys. Israel del Rio Share this quote

We do not know when such a tool was first used, but what’s most confounding is Marriott’s assurance that the breach first occurred in 2014.

If the detection tool was used prior to this September, why hadn’t the breach been detected earlier? And if the tool was not used earlier, how can they be so sure the breach occurred in 2014?



Some in the media mention that the stolen data contains bookings from 2014, and this is the reason behind the assumption that the breach took place at that time.

The Data Warehouse contains booking data going back several years. The Data Warehouse data could have been exposed recently and still show stolen records from 2014.



As I mentioned earlier, security breaches can be the result of the exploitation of platform weaknesses.

These occur most frequently in smaller companies without the resources to properly design and deploy known defenses such as firewalls, router configurations, encryption, monitoring or to staff their operations sufficiently.

Still, most commonly, breaches occur when someone obtains an administrative password via deceitful means (e.g., phishing attacks), enabling them to log into the system and install Trojan software to extract data or to manipulate the system.

This is the method the Russians used to hack into the Democratic National Committee emails, for example.

Inside, outside - blame games

Another manner in which breaches occur is when they are conducted by internal staff.

This type of inside job is particularly pernicious because it is often impossible to determine the extent of the exposed vulnerability.

Marriott’s third point raises eyebrows because they say there is the possibility that the primary encryption key was also exposed.

It is almost impossible to imagine a scenario in which an external hacker is able to gain access to the primary encryption keys.

It is difficult to imagine how an architectural or platform vulnerability would not have been discovered or exploited sooner. Israel del Rio Share this quote





In summary, there is clearly a lack of information forthcoming at this time from Marriott to truly determine what has occurred.

It is possible that the Starwood system was in fact breached. Marriott had laid off most of the Starwood technology staff at the end of 2017, and whatever operational or migration issues this might have caused should be evaluated.



But more information is clearly needed, otherwise we will continue to see media speculation, such as the idea that China is the culprit, among other theories and noise.

For now, I hope this article highlights why it might be too soon to jump to any conclusions.

What is needed instead is an objective assessment of what happened, regardless of accountabilities.

Finding out exactly what went on is paramount to ensuring these types of data exposures do not happen again and to regain the trust and confidence of the guests.