Marriott's disclosure of a data breach impacting as many as 500 million consumers is going to result in technology, security, and legal expenses for years to come -- and the tab is likely to be in the billions of dollars.
The hotel company said that information on about 500 million guests may have been breached on its Starwood network since 2014. For about 327 million of those guests, personal information such as date of birth, gender, email, passport numbers, and phone numbers may have been exposed. In some cases, payment card information may have been exposed, but that data was encrypted.
A recent IBM study by Ponemon on the cost of large data breaches estimated that a breach of 50 million records will have a total price tag of $350 million. IBM and Ponemon modeled the costs based on a sample of 11 companies hit with a "mega breach" over the past two years.
IBM/Ponemon also calculated costs based on lost business and include everything from tech spending to legal fees to remediation and customer churn. What's unclear is whether consumers can abandon Marriott and the Starwood reservation system given its vast footprint. Equifax had a similar situation with relatively locked in customers.
Also: Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you | Free PDF download: A Winning Strategy for Cybersecurity | Research: Employee compliance is the main challenge to implementing cybersecurity strategy
Given those rough figures, the worst case for Marriott expenses would be $3.5 billion if 500 million consumers were affected. The tab could be lower and more in line with 300 million breached records, or $2.1 billion.
Other variables to consider in ballparking Marriott's costs will include the time to identify the breach. It's a bit alarming that the Starwood database was available to cybercriminals since 2014. According to IBM/Ponemon, the average time to identify a data breach is 197 days. The average time to contain once identified is 69 days.
In addition, the average costs per lost or stolen record is $148, according to Ponemon. Tools such as artificial intelligence and an incident response team can bring costs down.
Here are some key charts from the IBM/Ponemon report to consider.
Marriott's insurance will matter
Marriott said in its annual report that it carries cybersecurity liability insurance, but it didn't disclose the deductable or level of coverage.
Although we carry cyber/privacy liability insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient to cover all losses or all types of claims that may arise in connection with cyber-attacks, security breaches, and other related breaches. Furthermore, in the future such insurance may not be available to us on commercially reasonable terms, or at all.
In that same report, Marriott noted that its integration of Starwood is a risk as was its global reservation systems.
Without knowing the deductible or level of cybersecurity insurance, it's hard to tell what Marriott will have to spend initially.
One thing is clear: This Marriott breach will result in millions of dollars -- if not more than $1 billion in the years to come once you include the IT and legal fees involved.
Using Equifax as a benchmark
Equifax's 2017 data breach impacted 145.5 million US consumers whose personally identifiable information was impacted by an attack. In March 2018, Equifax disclosed that 2.4 million more US consumers were impacted. Toss in data losses for UK and Canadian consumers and Equifax was a bit hit to data security.
The rebound from that incident, however, is instructive for Marriott. First, Equifax had much of the expenses covered by cybersecurity insurance. But the company did have to invest heavily in IT systems and security remediation to repair its issues. However, the data breach is still a hit to Equifax's expense line.
Including technology and security investment, legal and investigative feeds and product liability, Equifax has spent $430.5 million on the incident through its latest quarter. Equifax said it expects 2018 expenses to be more than $350 million due to the "incident and incremental technology and data security costs."
Equifax also explained that the insurance has helped.
We maintain $125.0 million of cybersecurity insurance coverage, above a $7.5 million deductible, to limit our exposure to losses such as those related to the 2017 cybersecurity incident. During the three months ended September 30, 2018, the Company has not recorded any insurance recoveries. During the nine months ended September 30, 2018, the Company has recorded insurance recoveries of $45.0 million. Since the announcement of the 2017 cybersecurity incident in September 2017, we have recorded and received insurance recoveries of $95.0 million for costs incurred through September 30, 2018.
Here's the breakdown of the cybersecurity insurance coverage and what Equifax has ultimately paid out since the December breach through Sept. 30.
But insurance doesn't tell the whole story. After all, based on the insurance payments and receivables, Equifax ultimately only had to pay out $10.7 million. Not much considering the size of the breach.
The catch is that Equifax had $125 million worth of coverage for a cybersecurity incident. The deductible was $7.5 million.
Equifax said the table above includes $113.3 million in pretax expenses for investigating and remediating the cybersecurity incident and all the professional services that went with it. Through Dec. 31, 2017, Equifax included the costs in the table above. In 2018, the expenses were more about the cost of doing business. But free credit monitoring was included in its table.
The company also has ongoing lawsuits related to the incident.
Previous and related coverage:
If the security incident had taken place after GDPR came into play, the fine may have been far higher.
Equifax said in a regulatory filing how much of its data sets were stolen in a 2017 breach.
The spending is shifting more toward data security and IT systems. Equifax carries $125 million in cybersecurity insurance with a $7.5 million deductible.
New research shows how hackers can manipulate hotel room key cards to gain access to an entire building.
Radisson Hotel Group loyalty scheme members are affected and may have had their personal information stolen.
Some 500 million pieces of customer data is believed to have been compromised, including that of 150 million accounts currently on sale in the dark web for 8 Bitcoins.