On September 8, 2018, Marriott International received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. A subsequent investigation carried out by security specialists firm Kroll, determined unauthorized access had taken place. As the investigation progressed, Marriott discovered that the Starwood network had been accessed since 2014. An unauthorized party had also copied information and had taken steps towards removing it.
In its statement on November 30, Marriott stated that it had not finished identifying this duplicate information in the database, but believed it impacted around 500 million customers. For approximately 327 million of these guests, the information includes some combination of name, address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, and arrival and departure information. For some, the information also includes payment card numbers and expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).
With regards to the potential perpetrators, rumors have spread that Chinese state hackers might have been behind the cyberattack, although as with most cyberattacks the attribution to a specific threat actor is a lengthy and uncertain task.
The Ritz-Carlton Hotel, Berlin, one of over 6,700 properties managed by Marriott International. Image credit: Wikimedia/NoRud
Potential Financial Impact
The Marriott International data breach is clearly a significant industry event. This data breach is by far the largest – in terms of the number of records lost – to impact the global hospitality sector. Other notable breaches impacting this sector include Huazhu, a Chinese hotel chain, that lost 130 million records in August 2018. Hilton lost 350,000 records in a breach in 2015, and market-leader Wyndham had 500,000 records breached back in 2010.
RMS expects the insurable losses for this event to exceed US$160 million and potentially reach in excess of US$250 million. This number is based on the latest RMS model research and incorporates potential uncertainty around how the event might play out, with litigation being a major potential contributor to the eventual loss as well as a source of considerable uncertainty. These losses are calibrated against historical insurance claims data.
Cyber Insurance Coverage
How this economic loss will impact the insurance industry is yet to be determined. However, in its annual report, Marriott stated that it carries cybersecurity liability insurance, but it does not disclose the deductibles or level of coverage. The report states:
“…although we carry cyber/privacy liability insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient to cover all losses or all types of claims that may arise in connection with cyber-attacks, security breaches, and other related breaches. Furthermore, in the future, such insurance may not be available to us on commercially reasonable terms, or at all.”
It is uncertain how large a cyber insurance tower Marriott has in place, although a limit of in excess of US$100 million is not unusual for companies of Marriott’s profile.
As the recent Equifax breach shows, the costs of law suits, new technology, and brand damage all add up. In its last quarter’s filing, Equifax said it had spent US$430 million on the data breach incident. With the full impact of the Marriott breach still emerging, losses certainly have the potential to be significant and the potential hit to Marriott’s insurers is substantial.
RMS will continue to monitor this situation and will work to update our clients with additional information as and when it becomes available.