Marriott disclosed today: the Starwood reservation database was breached for FOUR YEARS — since 2014, predating Marriott’s own acquisition of Starwood — exposing up to 500 million guests: passports, travel histories, the occasional unencrypted card. Two archive threads converge with a clang. First, the M&A angle: Marriott BOUGHT this breach in 2016 and ran it unknowingly for two years — due diligence audits the books, the brand, the real estate, and treats the IT estate as furniture; “you acquire their attackers too” belongs in every deal memo (#087’s Yahoo discount was THE precedent — a breach literally repriced that acquisition, and the industry filed it under ‘Yahoo problems’). Second, the duration: four YEARS of dwell time. Breach detection lag is the metric nobody dashboards — prevention gets the budget, detection gets a log-retention policy written by the finance team. (#116’s ceiling rule applies; expect the passport count to firm upward.)

Cheerier infrastructure: AWS re:Invent week delivered its annual firehose (the notable trend: everything moving “serverless-adjacent” and everything getting an ARM chip — Graviton — because Amazon now builds CPUs, which the #141 supply-chain file notes with a raised eyebrow), and our own migration-scarred Kubernetes platform (#106) is now boring enough that this year’s announcements read as “optional,” the highest compliment infrastructure can earn.

TIL: dwell-time benchmarks — industry median breach detection sits around 100-200 DAYS depending whose report you read, and that’s the median of DISCOVERED breaches, a survivorship-biased floor (#080’s asterisk logic applies to security stats too). Instrument for the attacker already inside; assume breach (#060) was never a slogan, it’s a query you should be able to RUN.