Marriott Breach Losses Estimated Up to $600 Million According to AIR

Cyber burglar opening combination safe on computer monitor

December 20, 2018 |

Cyber burglar opening combination safe on computer monitor

AIR Worldwide (AIR) has projected the direct cyber-incident losses for the recent Marriott breach will be between $200 million and $600 million. These estimates are based on the assumption that 500 million records were stolen, as reported by Marriott.

Uncertainty surrounds the data that was stolen. For instance, while credit card data was stolen, it was encrypted; however, the encryption key itself may have been stolen as well. Also, some records may be duplicates.

AIR also reported that, as of December 8, 2018, Marriott shared the following information on its website.

On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information and took steps toward removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

"AIR's new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn't previously happened to a hotel chain," said Scott Stransky, assistant vice president and director of emerging risk modeling, AIR Worldwide. "In fact, the largest recorded breach for a US-based hotel chain prior to this event was less than 1/50 the size in terms of the number of records stolen. There are more than 300 simulated events in our model that cause higher losses for US-based hotels."

AIR's modeled loss estimates include the following.

  • First- and third-party losses directly related to the security breach, including notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call center, and any liability covered under an affirmative cyber policy

AIR's modeled loss estimates do not include the following.

  • Any fines that may be levied upon Marriott, including potential fines for violation of the General Data Protection Regulation
  • Directors and officers and other non-cyber policy related claims, reputational loss, business interruption, or decrease of stock price
  • The impact of any insurance coverages that Marriott may use to recover their losses

December 20, 2018