Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Direct cyber incident losses from Marriott breach up to $600M: AIR

Reprints
Direct cyber incident losses from Marriott breach up to $600M: AIR

Catastrophe risk modeling firm AIR Worldwide estimates the direct cyber incident losses from the data breach announced by Marriott International Inc. in November will be $200 million to $600 million.

Bethesda, Maryland-based Marriott said Nov. 30 that hackers accessed up to 500 million customer records in its Starwood Hotel unit’s reservation system in an attack that began four years ago, prior to Marriott’s ownership of the brand, exposing data including passport numbers and payment cards.

The hotel chain said it buys cyber insurance, but it is too early to estimate the breach’s financial impact. According to market reports, American International Group Inc. was the Marriott’s primary insurer, with about $250 million in coverage, with excess coverage placed in London, and Lockton Cos. LLC was the firm’s broker.

Boston-based AIR said in its statement Tuesday that AIR’s loss estimates are based on the assumption that, as reported by Marriott, 500 million records were stolen.

It said the wide range of loss estimates reflects the uncertainty about the data stolen, for instance whether along with encrypted credit card data stolen the encryption key itself was stolen as well. Some of the data stolen may have been duplicates as well, AIR said.

"AIR's new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn't previously happened to a hotel chain," Scott Stransky, AIR assistant vice president and director of emerging risk modeling, said in the statement.

"In fact, the largest recorded breach for a U.S.-based hotel chain prior to this event was less than 1/50 the size in terms of the number of records stolen. There are more than 300 simulated events in our model that cause higher losses for U.S.-based hotels."

A Marriott spokesman could not be reached for comment.

Experts have said the data beach’s disclosure illustrates the potential vulnerability of the hospitality sector, which holds vast amounts of personal information from its hotel bookings and loyalty programs.

 

 

 

 

 

 

Read Next