Marriott breach to cost up to $600m: AIR
The direct cyber incident losses for the Marriott breach will be between $200 million and $600 million, according to estimates by catastrophe risk modelling firm AIR Worldwide.
The net financial impact to Marriott will be partially mitigated by the cyber insurance and other liability insurance coverage they reportedly have, which are not accounted for in these estimated losses, AIR noted.
On Nov. 30, 2018, Marriott disclosed a data security incident involving the Starwood guest reservation database which contains information on up to approximately 500 million guests who made a reservation at a Starwood property.
On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information and took steps toward removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
A class-action lawsuit seeking $12.5 billion, or $25 for each customer whose privacy may have been jeopardized, has been filed against Marriott.
"AIR's new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn't previously happened to a hotel chain," said Scott Stransky, director of emerging risk modelling, AIR Worldwide. "In fact, the largest recorded breach for a US-based hotel chain prior to this event was less than 1/50 the size in terms of the number of records stolen. There are more than 300 simulated events in our model that cause higher losses for US-based hotels."
AIR's modelled loss estimates include first- and third-party losses directly related to the security breach, including notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call centre, and any liability covered under an affirmative cyber policy.
AIR's modelled loss estimates do not include any fines that may be levied upon Marriott, including potential fines for violation of the European Union’s General Data Protection Regulation (GDPR).
It also does not include directors and officers’ liability insurance (D&O) and other non-cyber policy related claims, reputational loss, business interruption, decrease of stock price. Neither does the estimate include the impact of any insurance coverages that Marriott may use to recover their losses, AIR explained.
