AIR Estimates Marriott Cyber Breach Direct Losses Could Reach $600 Million

Marriott International Inc. will be dealing with direct cyber incident losses from its massive data breach of between $200 million and $600 million, according to an AIR Worldwide estimate.

Marriott disclosed on Dec.1 that it had uncovered a massive data breach at its Starwood Hotels and Resorts, with as many as 500 million guests dealing with exposure of their personal data.

AIR said its loss estimate is based on the assumption that 500 million records were stolen. It added the estimate also reflects uncertainty about data that was stolen.

“While credit card data was stolen, it was encrypted; however, the encryption key itself may have been stolen as well. There is additional uncertainty, as some of these records may be duplicates,” AIR Worldwide said.

AIR’s estimate appears in line with another. Earlier this month Morgan Stanley cited potential costs of $200 million in fines and $1 per customer for 500 million customers for notifying victims and data monitoring services.

However, it falls below an estimate from Bloomberg Intelligence analysts who warned of costs as high as $1 billion, including a potential fine of about $450 million under Europe’s General Data Protection Regulation.

On December 5, Bloomberg reported remarks by Marriott Chief Financial Officer Leeny Oberg who said that it was too soon to estimate the cost of the massive cyber breach.

Large companies that have suffered cyber breaches have also faced millions of dollars in legal costs.

AIR noted that net financial impact to Marriott will be partially mitigated by the cyber insurance and other liability insurance coverages that are not accounted for in these estimated losses.

AIR’s modeled loss estimates include first- and third-party losses directly related to the security breach, including notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call center, and any liability covered under an affirmative cyber policy

AIR’s modeled loss estimates do not include any fines that may be levied upon Marriott, including potential fines for violation of the GDPR, D&O and other non-cyber policy related claims, reputational loss, business interruption and decrease of stock price.

Marriott has said the breach would not affect its long-term financial health and it is working with its insurance carriers to assess coverage.