weerapat1003 - stock.adobe.com

Marriott data breach losses could be over half a billion dollars

Direct losses related to a huge data breach at US hotel group could reach $600m

The data breach at Marriott International could cost the hotel group as much as $600m, according to risk modelling firm AIR Worldwide.

AIR said the cyber security breach in November this year, which resulted in half a billion customer records being compromised, will have direct costs of between $200m and $600m.

Its estimate is based on the premise that 500 million records were breached and includes first- and third-party losses directly related to the breach, such as notification costs, forensics, credit monitoring, replacement of credit cards and setting up a call centre. It does not include potential fines related to the General Data Protection Regulation (GDPR) as well as reputational loss, business interruption and decrease of stock price.

“AIR’s new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn’t previously happened to a hotel chain,” said Scott Stransky, director of emerging risk modeling at AIR Worldwide. “In fact, the largest recorded breach for a US-based hotel chain prior to this event was less than one-fiftieth of the size in terms of the number of records stolen.”

Last month, Marriott International said it had taken measures to investigate and address the security incident affecting reservations at its Starwood properties between 2014 and 10 September 2018.  

AIR said the loss estimates are based on an analysis performed using its Cyber Model. “These estimates are subject to uncertainty and are not based on actual policy or loss data reported by Marriott,” it said. “The net financial impact to Marriott will be partially mitigated by the cyber insurance and other liability insurance coverage it reportedly has, which are not accounted for in these estimated losses.”

Read more about data breaches

  • More than 146 billion records to be stolen over next five years.
  • The personal data of more than 46 million mobile phone users in Malaysia was reportedly leaked online in possibly the biggest data breach in the Southeast Asian country.
  • The fact that data breaches at FTSE 100 firms cost on average £120m in market value should be a wake-up call for boards to ensure they have an adequate cyber security strategy.

Read more on Data breach incident management and recovery