Marriott's disclosure of a data breach impacting as many as 500 million consumers is going to result in technology, security, and legal expenses for years to come -- and the tab is likely to be in the billions of dollars.
The hotel company said that information on about 500 million guests may have been breached on its Starwood network since 2014. For about 327 million of those guests, personal information such as date of birth, gender, email, passport numbers, and phone numbers may have been exposed. In some cases, payment card information may have been exposed, but that data was encrypted.
A recent IBM study by Ponemon on the cost of large data breaches estimated that a breach of 50 million records will have a total price tag of $350 million. IBM and Ponemon modeled the costs based on a sample of 11 companies hit with a "mega breach" over the past two years.
IBM/Ponemon also calculated costs based on lost business and include everything from tech spending to legal fees to remediation and customer churn. What's unclear is whether consumers can abandon Marriott and the Starwood reservation system given its vast footprint. Equifax had a similar situation with relatively locked in customers.
Given those rough figures, the worst case for Marriott expenses would be $3.5 billion if 500 million consumers were affected. The tab could be lower and more in line with 300 million breached records, or $2.1 billion.
Other variables to consider in ballparking Marriott's costs will include the time to identify the breach. It's a bit alarming that the Starwood database was available to cybercriminals since 2014. According to IBM/Ponemon, the average time to identify a data breach is 197 days. The average time to contain once identified is 69 days.
Although we carry cyber/privacy liability insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient to cover all losses or all types of claims that may arise in connection with cyber-attacks, security breaches, and other related breaches. Furthermore, in the future such insurance may not be available to us on commercially reasonable terms, or at all.
Equifax's 2017 data breach impacted 145.5 million US consumers whose personally identifiable information was impacted by an attack. In March 2018, Equifax disclosed that 2.4 million more US consumers were impacted. Toss in data losses for UK and Canadian consumers and Equifax was a bit hit to data security.
The rebound from that incident, however, is instructive for Marriott. First, Equifax had much of the expenses covered by cybersecurity insurance. But the company did have to invest heavily in IT systems and security remediation to repair its issues. However, the data breach is still a hit to Equifax's expense line.
Including technology and security investment, legal and investigative feeds and product liability, Equifax has spent $430.5 million on the incident through its latest quarter. Equifax said it expects 2018 expenses to be more than $350 million due to the "incident and incremental technology and data security costs."
We maintain $125.0 million of cybersecurity insurance coverage, above a $7.5 million deductible, to limit our exposure to losses such as those related to the 2017 cybersecurity incident. During the three months ended September 30, 2018, the Company has not recorded any insurance recoveries. During the nine months ended September 30, 2018, the Company has recorded insurance recoveries of $45.0 million. Since the announcement of the 2017 cybersecurity incident in September 2017, we have recorded and received insurance recoveries of $95.0 million for costs incurred through September 30, 2018.
Here's the breakdown of the cybersecurity insurance coverage and what Equifax has ultimately paid out since the December breach through Sept. 30.
But insurance doesn't tell the whole story. After all, based on the insurance payments and receivables, Equifax ultimately only had to pay out $10.7 million. Not much considering the size of the breach.
The catch is that Equifax had $125 million worth of coverage for a cybersecurity incident. The deductible was $7.5 million.
Equifax said the table above includes $113.3 million in pretax expenses for investigating and remediating the cybersecurity incident and all the professional services that went with it. Through Dec. 31, 2017, Equifax included the costs in the table above. In 2018, the expenses were more about the cost of doing business. But free credit monitoring was included in its table.
The company also has ongoing lawsuits related to the incident.
These are the worst hacks, cyberattacks, and data breaches of 2018