Marriott breach to cost $200-600M in losses, AIR estimates

Marriott International Inc. is reeling from their Nov. 30 disclosure of a massive security breach that affected 500 million customers from hacks that began in 2014.

Based on the assumption that 500 million records were stolen, as Marriott has reported, AIR Worldwide estimates that the direct cyber incident losses for the Marriott breach will be between $200-600 million.

Breaking down the estimates

AIR reps say the large range of loss estimates is due to the uncertainty about the data that was stolen. For instance, while credit card data was stolen, it was encrypted; however, the encryption key itself may have been stolen as well. Additionally, some of the 500 million stolen records may be duplicates, the number of which is unknown.

AIR’s loss estimates are based on an analysis performed using its Cyber Model. It includes first- and third-party losses directly related to the security breach, including notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call center, and any liability covered under an affirmative cyber policy.

Scott Stransky, assistant vice president and director of emerging risk modeling at AIR noted that while this breach is uniquely large, it’s not unprecedented, as hotels are a major target for hackers. He noted that the largest recorded breach for a U.S.-based hotel chain prior to this event was less than 1/50 the size in terms of the number of records stolen.

Related: Assessing risk to hotels in the age of data breaches