Marriott data breach losses could be over half a billion dollars

The data breach at Marriott International could cost the hotel group as much as $600m, according to risk modelling firm AIR Worldwide.

AIR said the cyber security breach in November this year, which resulted in half a billion customer records being compromised, will have direct costs of between $200m and $600m.

Its estimate is based on the premise that 500 million records were breached and includes first- and third-party losses directly related to the breach, such as notification costs, forensics, credit monitoring, replacement of credit cards and setting up a call centre. It does not include potential fines related to the General Data Protection Regulation (GDPR) as well as reputational loss, business interruption and decrease of stock price.

“AIR’s new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn’t previously happened to a hotel chain,” said Scott Stransky, director of emerging risk modeling at AIR Worldwide. “In fact, the largest recorded breach for a US-based hotel chain prior to this event was less than one-fiftieth of the size in terms of the number of records stolen.”

Last month, Marriott International said it had taken measures to investigate and address the security incident affecting reservations at its Starwood properties between 2014 and 10 September 2018.  

AIR said the loss estimates are based on an analysis performed using its Cyber Model. “These estimates are subject to uncertainty and are not based on actual policy or loss data reported by Marriott,” it said. “The net financial impact to Marriott will be partially mitigated by the cyber insurance and other liability insurance coverage it reportedly has, which are not accounted for in these estimated losses.”