Watchdog Transparency Blog

In our Blog we take a critical look at public company disclosures and focus on issues surrounding transparency, reliability and accuracy. It you are looking for cheerleading, you have come to the wrong place. We rely on information from the best sources available to gain insight into companies and make predictions about what will happen in the future. Nothing in business is certain, so sometimes we will be wrong, but we will always be an independent voice telling you the truth as we see it. We offer Retail Investors our Research Reports for Free.

Sign up to get all of our blogs delivered directly to your inbox.

Marriott: 500 Million Customers Might Not Be Wrong, But They Might Be Upset

On November 30, 2018 Marriott International (MAR) publicly disclosed that it had a data security breach. It became aware of the breach September 8, 2018. Their internal investigation showed 500 million customer records had been stolen from its Starwood guest reservation system.

Watchdog’s Concerns

Preventing a cyber breach is a fundamental duty of every management team at every public company. Any breach is troubling, but a breach of this magnitude (500 million customer records!) is a signal of a massive management failure of internal controls. Moreover, this is the SECOND breach in the same system – an almost unforgivable error.

How Marriott handled disclosing the breach is very troubling to us because it shows the damage weak management actions can have on innocent investors. Take a look at the Marriott stock price chart below. The start date of the price chart is September 1, 2018 (end date is March 7, 2019).

Arrow A on the chart marks the date the breach was first known at Marriott. At this point, likely the IT department and perhaps the most senior officers might know of the breach. Yet, notice the large spike in trading volume at Arrow B on the chart. This is September 21, 2019.

Next notice Arrow C which clearly shows a steep decline in Marriott’s stock price from September 30 to October 24 as the stock price drops from $132 per share to $107 per share (19% decline). Notice also the heavier trading volume of Marriott during the same period (along the bottom of the chart).

84 days after the first signal of the breach, on November 30, 2018, find Arrow D. On that date, for the first time, Marriott files an 8K with the SEC and releases a press release notifying the public of the data breach.

Mariott Graph 03 18 19.JPG

You will notice Arrow E follows yet another steep decline after the public disclosure, reaching a low price point of $101 on Christmas Day, 2018.

In other words, Marriott’s cyber breach coincided with a collapse in Marriott’s stock price from a high of $132 down to a low of $101 in just 84 days. That is a 24% loss for investors.

But notice the trading happening during those 84 days. Some selling shareholders did better than others. To paraphrase George Orwell in “Animal Farm”: All shareholders are equal, but some shareholders are more equal than others.

By that we mean that between September 21 and November 30, some investors may have known something was up at Marriott and were possibly taking advantage of their knowledge to sell ahead of other investors who only sold AFTER the official November 30 disclosure date. This is the kind of possible losses investors incur when management fails to manage information well.

Beyond the obvious stock price collapse issues, Watchdog found other issues related to this breach. Consider the breach came from a merger deal with Starwood. The Marriott/Starwood deal was over 5x larger than the next closest recent M&A deal in the hotel industry (Wyndham buying LaQuinta). Large deals require due-diligence.

Looking back over lawsuits filed against Starwood before the merger with Marriott, we found the case of Dugas v. Starwood Hotels & Resorts Worldwide Inc et al. We note this case was NOT disclosed in the most recent Marriott 10k. Here’s the opening statement from that suit’s amended filing 12/7/2016:

This is a class action brought on behalf of Starwood Resorts/Sheraton Hotel customers. (“Defendants”) Defendants have, carelessly or recklessly, failed to protect their customer records, and as a result those records were hacked and stolen by third parties, thereby exposing Plaintiff to damages. Defendants’ conduct violates Sections 1798.81.5of the California Business & Professions Code. On November 20, 2015, Defendants disclosed for the first time that hackers had breached its database containing sensitive records including: names, credit card numbers, security codes and expiration dates.

Given that the current breach happened from within the Starwood reservation system, in the Starwood Loyalty program, this case is very important. Management at Marriott (and Starwood) do not have the luxury of claiming ignorance of the possibility of a data breach in the same system just 2.5 years earlier. Digging further into Marriott’s peers, we found 70 items of litigation (identified in Item 3 of non-gaming hotel company quarterly filings) which cited cyber security breaches. Presumably, a thorough due diligence during the merger would have caught this previously identified risk of cyber security and provided the impetus for management focus in protecting against this.

Yet another bothersome issue relates to Marriott’s CEO and CFO sworn statements about their internal controls. In the company’s 10Q Nov. 11, 2018, the CEO and CFO both gave themselves an “effective” grade for internal controls. Given the breach happened Sept. 8, 2018, we find it very odd that the CFO and CEO would have both given statements that Marriott had effective controls. Here is the sworn statement:

Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;

So while the breach was known and being investigated, neither the CEO or CFO admitted to ineffective controls. Next note the contrast in these two statements below. The first comes from Marriott’s Nov. 11, 2018 10Q and the second from their March 1, 2019 10K:

Item 4: Based upon this evaluation, our Chief Executive Officer and the Chief Financial Officer concluded that our disclosure controls and procedures were effective….

Versus:

…management assessed the effectiveness of the Company’s internal control over financial reporting…Based on this assessment, and the existence of a material weakness related to the accounting for our Loyalty Program…., as of December 31, 2018, the Company’s internal control over financial reporting was not effective…

We do appreciate that EY, Marriott’s external auditor, recognized the breach as a failure of Marriott’s management to have proper controls. Such statements are a big deal. EY filed only 2 such statements for their 148 S&P 500 clients in 2018. EY’s statement in the March, 2019 10K was:

We have audited Marriott International, Inc.’s internal control …In our opinion …Marriott International, Inc. (the Company) has not maintained effective internal control over financial reporting as of December 31, 2018, based on the COSO criteria.

All these weaknesses at Marriott have led to a class-action suit against Marriott from the breach. We note that class-action suits are rare in the hotel space. There were only three in the last five years, including the one related to this breach: McGrath v. Marriott International Inc et al, New York Eastern District Court.

Finding and stopping cyber breaches is a reality every company must deal with. How a company’s management handles the disclosure demonstrates their clarity of thinking during a crisis and most importantly, how they view their responsibility for disclosing information to protect all investors.

Watchdog Transparency Blog

In our Blog we take a critical look at public company disclosures and focus on issues surrounding transparency, reliability and accuracy. It you are looking for cheerleading, you have come to the wrong place. We rely on information from the best sources available to gain insight into companies and make predictions about what will happen in the future. Nothing in business is certain, so sometimes we will be wrong, but we will always be an independent voice telling you the truth as we see it. We offer Retail Investors our Research Reports for Free.

Sign up to get all of our blogs delivered directly to your inbox.

Marriott: 500 Million Customers Might Not Be Wrong, But They Might Be Upset

On November 30, 2018 Marriott International (MAR) publicly disclosed that it had a data security breach. It became aware of the breach September 8, 2018. Their internal investigation showed 500 million customer records had been stolen from its Starwood guest reservation system.

Watchdog’s Concerns

Preventing a cyber breach is a fundamental duty of every management team at every public company. Any breach is troubling, but a breach of this magnitude (500 million customer records!) is a signal of a massive management failure of internal controls. Moreover, this is the SECOND breach in the same system – an almost unforgivable error.

How Marriott handled disclosing the breach is very troubling to us because it shows the damage weak management actions can have on innocent investors. Take a look at the Marriott stock price chart below. The start date of the price chart is September 1, 2018 (end date is March 7, 2019).

Arrow A on the chart marks the date the breach was first known at Marriott. At this point, likely the IT department and perhaps the most senior officers might know of the breach. Yet, notice the large spike in trading volume at Arrow B on the chart. This is September 21, 2019.

Next notice Arrow C which clearly shows a steep decline in Marriott’s stock price from September 30 to October 24 as the stock price drops from $132 per share to $107 per share (19% decline). Notice also the heavier trading volume of Marriott during the same period (along the bottom of the chart).

84 days after the first signal of the breach, on November 30, 2018, find Arrow D. On that date, for the first time, Marriott files an 8K with the SEC and releases a press release notifying the public of the data breach.

Mariott Graph 03 18 19.JPG

You will notice Arrow E follows yet another steep decline after the public disclosure, reaching a low price point of $101 on Christmas Day, 2018.

In other words, Marriott’s cyber breach coincided with a collapse in Marriott’s stock price from a high of $132 down to a low of $101 in just 84 days. That is a 24% loss for investors.

But notice the trading happening during those 84 days. Some selling shareholders did better than others. To paraphrase George Orwell in “Animal Farm”: All shareholders are equal, but some shareholders are more equal than others.

By that we mean that between September 21 and November 30, some investors may have known something was up at Marriott and were possibly taking advantage of their knowledge to sell ahead of other investors who only sold AFTER the official November 30 disclosure date. This is the kind of possible losses investors incur when management fails to manage information well.

Beyond the obvious stock price collapse issues, Watchdog found other issues related to this breach. Consider the breach came from a merger deal with Starwood. The Marriott/Starwood deal was over 5x larger than the next closest recent M&A deal in the hotel industry (Wyndham buying LaQuinta). Large deals require due-diligence.

Looking back over lawsuits filed against Starwood before the merger with Marriott, we found the case of Dugas v. Starwood Hotels & Resorts Worldwide Inc et al. We note this case was NOT disclosed in the most recent Marriott 10k. Here’s the opening statement from that suit’s amended filing 12/7/2016:

This is a class action brought on behalf of Starwood Resorts/Sheraton Hotel customers. (“Defendants”) Defendants have, carelessly or recklessly, failed to protect their customer records, and as a result those records were hacked and stolen by third parties, thereby exposing Plaintiff to damages. Defendants’ conduct violates Sections 1798.81.5of the California Business & Professions Code. On November 20, 2015, Defendants disclosed for the first time that hackers had breached its database containing sensitive records including: names, credit card numbers, security codes and expiration dates.

Given that the current breach happened from within the Starwood reservation system, in the Starwood Loyalty program, this case is very important. Management at Marriott (and Starwood) do not have the luxury of claiming ignorance of the possibility of a data breach in the same system just 2.5 years earlier. Digging further into Marriott’s peers, we found 70 items of litigation (identified in Item 3 of non-gaming hotel company quarterly filings) which cited cyber security breaches. Presumably, a thorough due diligence during the merger would have caught this previously identified risk of cyber security and provided the impetus for management focus in protecting against this.

Yet another bothersome issue relates to Marriott’s CEO and CFO sworn statements about their internal controls. In the company’s 10Q Nov. 11, 2018, the CEO and CFO both gave themselves an “effective” grade for internal controls. Given the breach happened Sept. 8, 2018, we find it very odd that the CFO and CEO would have both given statements that Marriott had effective controls. Here is the sworn statement:

Based on my knowledge, this report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this report;

So while the breach was known and being investigated, neither the CEO or CFO admitted to ineffective controls. Next note the contrast in these two statements below. The first comes from Marriott’s Nov. 11, 2018 10Q and the second from their March 1, 2019 10K:

Item 4: Based upon this evaluation, our Chief Executive Officer and the Chief Financial Officer concluded that our disclosure controls and procedures were effective….

Versus:

…management assessed the effectiveness of the Company’s internal control over financial reporting…Based on this assessment, and the existence of a material weakness related to the accounting for our Loyalty Program…., as of December 31, 2018, the Company’s internal control over financial reporting was not effective…

We do appreciate that EY, Marriott’s external auditor, recognized the breach as a failure of Marriott’s management to have proper controls. Such statements are a big deal. EY filed only 2 such statements for their 148 S&P 500 clients in 2018. EY’s statement in the March, 2019 10K was:

We have audited Marriott International, Inc.’s internal control …In our opinion …Marriott International, Inc. (the Company) has not maintained effective internal control over financial reporting as of December 31, 2018, based on the COSO criteria.

All these weaknesses at Marriott have led to a class-action suit against Marriott from the breach. We note that class-action suits are rare in the hotel space. There were only three in the last five years, including the one related to this breach: McGrath v. Marriott International Inc et al, New York Eastern District Court.

Finding and stopping cyber breaches is a reality every company must deal with. How a company’s management handles the disclosure demonstrates their clarity of thinking during a crisis and most importantly, how they view their responsibility for disclosing information to protect all investors.

© 2020 Watchdog Research, Inc. All rights reserved.
Watchdog Transparency is a publication based on reports created by Watchdog Research, Inc.
Watchdog Research, Inc. is a financial research company providing due diligence information on public companies.

@WatchdogRsrch    |     rss