AIR Worldwide has estimated that the data breach Marriott recently reported resulted in direct cyber incident losses somewhere between $200 million and $600 million.
According to a report by AIR, the range of loss estimates is due to the uncertainty regarding the data that was stolen. While credit card data was stolen due to the breach, the hotel company has claimed that the information was encrypted for security purposes. However, it is still unknown whether the hackers also stole the decryption information required to access the information.
There is also another level of uncertainty in that some of the customer records could be duplicates, AIR noted.
Scott Stransky, AIR Worldwide assistant vice-president and director of emerging risk modelling, warned that these sorts of data breaches are not unique to the hotel industry.
“AIR’s new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn’t previously happened to a hotel chain,” he explained. “In fact, the largest recorded breach for a US-based hotel chain prior to this event was less than 1/50 the size in terms of the number of records stolen. There are more than 300 simulated events in our model that cause higher losses for US-based hotels.”
AIR’s loss estimates are based on an analysis performed using its proprietary cyber risk modelling system. The modelled loss estimates take into account first- and third-party losses directly related to the security breach – these include notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call centre, and any liability covered by a cyber insurance policy.