0
Marriott’s disclosure of a data breach impacting as many as 500 million consumers is going to result in technology, security, and legal expenses for years to come — and the tab is likely to be in the billions of dollars.
The hotel company said that information on about 500 million guests may have been breached on its Starwood network since 2014. For about 327 million of those guests, personal information such as date of birth, gender, email, passport numbers, and phone numbers may have been exposed. In some cases, payment card information may have been exposed, but that data was encrypted.
A recent IBM study by Ponemon on the cost of large data breaches estimated that a breach of 50 million records will have a total price tag of $350 million. IBM and Ponemon modeled the costs based on a sample of 11 companies hit with a “mega breach” over the past two years.
IBM/Ponemon also calculated costs based on lost business and include everything from tech spending to legal fees to remediation and customer churn. What’s unclear is whether consumers can abandon Marriott and the Starwood reservation system given its vast footprint. Equifax had a similar situation with relatively locked in customers.
Also: Cybercrime and cyberwar: A spotter’s guide to the groups that are out to get you | Free PDF download: A Winning Strategy for Cybersecurity | Research: Employee compliance is the main challenge to implementing cybersecurity strategy
Given those rough figures, the worst case for Marriott expenses would be $3.5 billion if 500 million consumers were affected. The tab could be lower and more in line with 300 million breached records, or $2.1 billion.
Other variables to consider in ballparking Marriott’s costs will include the time to identify the breach. It’s a bit alarming that the Starwood database was available to cybercriminals since 2014. According to IBM/Ponemon, the average time to identify a data breach is 197 days. The average time to contain once identified is 69 days.
Also: Incident response: What needs to be in a good policy?
In addition, the average costs per lost or stolen record is $148, according to Ponemon. Tools such as artificial intelligence and an incident response team can bring costs down.
Here are some key charts from the IBM/Ponemon report to consider.
Credit: IBM/Ponemon
Marriott’s insurance will matter
Marriott said in its annual report that it carries cybersecurity liability insurance, but it didn’t disclose the deductable or level of coverage.
The hotel company said:
Although we carry cyber/privacy liability insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient to cover all losses or all types of claims that may arise in connection with cyber-attacks, security breaches, and other related breaches. Furthermore, in the future such insurance may not be available to us on commercially reasonable terms, or at all.
Equifax fined £500,000 over customer data breach
If the security incident had taken place after GDPR came into play, the fine may have been far higher.
Here’s how the Equifax breach breaks down, by the numbers
Equifax said in a regulatory filing how much of its data sets were stolen in a 2017 breach.
Equifax has spent $242.7 million on its data breach so far
The spending is shifting more toward data security and IT systems. Equifax carries $125 million in cybersecurity insurance with a $7.5 million deductible.
Hackers built a ‘master key’ for millions of hotel rooms
New research shows how hackers can manipulate hotel room key cards to gain access to an entire building.
Radisson Hotel Group suffers data breach, customer info leaked
Radisson Hotel Group loyalty scheme members are affected and may have had their personal information stolen.
Chinese police investigating major security breach of hotel group
Some 500 million pieces of customer data is believed to have been compromised, including that of 150 million accounts currently on sale in the dark web for 8 Bitcoins.
Related Topics:
CXO
Security TV
Data Management
Data Centers
0