​Marriott faces massive data breach expenses even with cybersecurity insurance

Marriott's total tab for a data breach affecting as many as 500 million consumers is going to cost billions of dollars over the next few years, based on the average cost of megabreaches.
Written by Larry Dignan, Contributor

Marriott's disclosure of a data breach impacting as many as 500 million consumers is going to result in technology, security, and legal expenses for years to come -- and the tab is likely to be in the billions of dollars.

The hotel company said that information on about 500 million guests may have been breached on its Starwood network since 2014. For about 327 million of those guests, personal information such as date of birth, gender, email, passport numbers, and phone numbers may have been exposed. In some cases, payment card information may have been exposed, but that data was encrypted.

A recent IBM study by Ponemon on the cost of large data breaches estimated that a breach of 50 million records will have a total price tag of $350 million. IBM and Ponemon modeled the costs based on a sample of 11 companies hit with a "mega breach" over the past two years.

IBM/Ponemon also calculated costs based on lost business and include everything from tech spending to legal fees to remediation and customer churn. What's unclear is whether consumers can abandon Marriott and the Starwood reservation system given its vast footprint. Equifax had a similar situation with relatively locked in customers.

Also: Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you | Free PDF download: A Winning Strategy for Cybersecurity | Research: Employee compliance is the main challenge to implementing cybersecurity strategy

Given those rough figures, the worst case for Marriott expenses would be $3.5 billion if 500 million consumers were affected. The tab could be lower and more in line with 300 million breached records, or $2.1 billion.

Other variables to consider in ballparking Marriott's costs will include the time to identify the breach. It's a bit alarming that the Starwood database was available to cybercriminals since 2014. According to IBM/Ponemon, the average time to identify a data breach is 197 days. The average time to contain once identified is 69 days.

Also: Incident response: What needs to be in a good policy? | The FTC's cyberinsurance tips: A must-read for small business owners

In addition, the average costs per lost or stolen record is $148, according to Ponemon. Tools such as artificial intelligence and an incident response team can bring costs down.

Here are some key charts from the IBM/Ponemon report to consider.


Credit: IBM/Ponemon

Marriott's insurance will matter

Marriott said in its annual report that it carries cybersecurity liability insurance, but it didn't disclose the deductable or level of coverage.

The hotel company said:

Although we carry cyber/privacy liability insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient to cover all losses or all types of claims that may arise in connection with cyber-attacks, security breaches, and other related breaches. Furthermore, in the future such insurance may not be available to us on commercially reasonable terms, or at all.

In that same report, Marriott noted that its integration of Starwood is a risk as was its global reservation systems.

Also: Your 2018 guide to cyber insurance is here

Without knowing the deductible or level of cybersecurity insurance, it's hard to tell what Marriott will have to spend initially.

One thing is clear: This Marriott breach will result in millions of dollars -- if not more than $1 billion in the years to come once you include the IT and legal fees involved.

TechRepublic: Why cybersecurity is the fastest-growing insurance market for SMBs | Cybersecurity insurance: What to look for when comparing policies | DHS primer on cybersecurity

Using Equifax as a benchmark

Equifax's 2017 data breach impacted 145.5 million US consumers whose personally identifiable information was impacted by an attack. In March 2018, Equifax disclosed that 2.4 million more US consumers were impacted. Toss in data losses for UK and Canadian consumers and Equifax was a bit hit to data security.

Also: US government releases post-mortem report on Equifax hack | Equifax's big fat fail: How not to handle a data breach

The rebound from that incident, however, is instructive for Marriott. First, Equifax had much of the expenses covered by cybersecurity insurance. But the company did have to invest heavily in IT systems and security remediation to repair its issues. However, the data breach is still a hit to Equifax's expense line.

Including technology and security investment, legal and investigative feeds and product liability, Equifax has spent $430.5 million on the incident through its latest quarter. Equifax said it expects 2018 expenses to be more than $350 million due to the "incident and incremental technology and data security costs."


Equifax also explained that the insurance has helped.

We maintain $125.0 million of cybersecurity insurance coverage, above a $7.5 million deductible, to limit our exposure to losses such as those related to the 2017 cybersecurity incident. During the three months ended September 30, 2018, the Company has not recorded any insurance recoveries. During the nine months ended September 30, 2018, the Company has recorded insurance recoveries of $45.0 million. Since the announcement of the 2017 cybersecurity incident in September 2017, we have recorded and received insurance recoveries of $95.0 million for costs incurred through September 30, 2018.

Here's the breakdown of the cybersecurity insurance coverage and what Equifax has ultimately paid out since the December breach through Sept. 30.


But insurance doesn't tell the whole story. After all, based on the insurance payments and receivables, Equifax ultimately only had to pay out $10.7 million. Not much considering the size of the breach.

The catch is that Equifax had $125 million worth of coverage for a cybersecurity incident. The deductible was $7.5 million.

Equifax said the table above includes $113.3 million in pretax expenses for investigating and remediating the cybersecurity incident and all the professional services that went with it. Through Dec. 31, 2017, Equifax included the costs in the table above. In 2018, the expenses were more about the cost of doing business. But free credit monitoring was included in its table.

The company also has ongoing lawsuits related to the incident.

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage:

Equifax fined £500,000 over customer data breach

If the security incident had taken place after GDPR came into play, the fine may have been far higher.

Here's how the Equifax breach breaks down, by the numbers

Equifax said in a regulatory filing how much of its data sets were stolen in a 2017 breach.

Equifax has spent $242.7 million on its data breach so far

The spending is shifting more toward data security and IT systems. Equifax carries $125 million in cybersecurity insurance with a $7.5 million deductible.

Hackers built a 'master key' for millions of hotel rooms

New research shows how hackers can manipulate hotel room key cards to gain access to an entire building.

Radisson Hotel Group suffers data breach, customer info leaked

Radisson Hotel Group loyalty scheme members are affected and may have had their personal information stolen.

Chinese police investigating major security breach of hotel group

Some 500 million pieces of customer data is believed to have been compromised, including that of 150 million accounts currently on sale in the dark web for 8 Bitcoins.

Editorial standards