Marriott announced today that data from approximately 500 million hotel guests was stolen in what could go down as one of the largest consumer data breaches of all time. But, stepping back, how truly unique is this attack? Outside of the sheer scale of customer records, attacks on global hotel brands have become so common that it may be time for the insurance industry to take a closer look at how much liability it is willing to take on in the hotel industry, and at what price.
Background to the Marriott data breach
On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. The company uncovered that there had been unauthorized access to its Starwood property systems since 2014, including names, contact details, passport numbers and reservation details for hundreds of millions of guests.
On Friday, November 30th (with Friday historically being the most common day for breach notifications), the company went public with a press release and 8K filing disclosing the breach and actions being taken to understand and remediate the situation.
Large-scale cyber attacks on hotels have become the norm, rather than the exception
It may be tempting for consumers to reconsider stays at Marriott properties, especially legacy Starwood brands, given the scale of the breach and unanswered questions about scope and containment. However, before hotel guests move to the competing properties, it is worth noting that hotel chain hacks have been pervasive across almost all global hotel brands in recent years. [As a side note, I am a very loyal guest that has stayed in their properties and “Heavenly Beds” so many nights that I am a lifetime Platinum Elite member, in the interest of full disclosure!]. More closely examining these global brands reveals a pattern of major cyber incidents in recent years, with alarming regularity.
Earlier this year, Chinese hotelier Huazhu Group, the local partner of France-based AccorHotels, reported the company’s internal data was being sold online and asked the police to investigate. Huazhu’s website outlines that it operates more than 3,000 hotels in more than 370 cities in China, including the AccorHotels brands Ibis and Mercure.
In the past three years, Hilton revealed that its point-of-sale systems had been impacted by malware multiple times resulting in the exfiltration of payment card information from over 300,000 individuals in one of this series of public cyber incidents.
In 2015, Hyatt hotels disclosed a virus in its payment processing system and unauthorized access to accounts in its Hyatt Gold Passport program, subsequently advising 18 million members to reset their passwords.
In 2014, Las Vegas Sands lost the employee information of over 50,000 workers, which fell into the hands of Iranian hackers after the CEO made statements that the country should be bombed to get the country to abandon its nuclear program.
Between 2008 and 2010, Wyndham Worldwide corporation suffered multiple attacks which gave hackers unauthorized access to the hotel company’s network for months compromising the information of more than 600,000 customers. The company suffered attacks from memory-scraping malware, compromise of property management systems and fraudulent charges against thousands of customer accounts.
Nor is this the first time that Starwood Hotels and Resorts have been subject to a data breach. In a breach starting in 2014, at least 50 hotels were impacted by malware on credit and debit card data on point-of-sale registers.
Marriott has been quick to point out that the recent breach impacted reservations at Starwood Properties, which were acquired by Marriott in 2015, rather than legacy Marriott brands. Putting aside the questions that this raises about M&A due diligence, it should also be noted that Marriott itself has also been subject to public security incidents, including a 2010 incident where an individual accessed Marriott’s computers for months and threatened to reveal documents publicly unless he was offered employment by the company before being apprehended by the Secret Service.
Krebs on Security has also noted public incidents at InterContinental Hotel Group, the Trump Hotel Collection, Kimpton Hotels, and Mandarin Oriental in the past two years. Rather than this cyber event being an exception amongst Marriott’s competitors, it is hard to find a peer who has not experienced a material breach in recent years, with the cost being covered in part by the insurance industry in many of these cases.
How much will the Marriott breach cost?
According to an 8K form published on November 30th by Marriott, “it is premature to estimate the financial impact to the company.” Given the scope and global nature of the breach, costs will be material.
At CyberCube, we model losses looking at the following dimensions, many of which will be relevant in this breach:
- Notification Costs
- Credit Monitoring
- Financial Reimbursement (e.g., from fraudulent credit card usage)
- Data Recovery (influenced by company back-up tendencies)
- Incident Response
- Debit/Credit Card Reissuance
- Legal/Class Action Lawsuits & Related Legal Fees
- Regulatory Fines, including GDPR fines
- Lost Revenues
- Intangible Losses (typically not covered by insurance)
- Stock Losses (typically not covered by insurance, although D&O lawsuits often follow; it’s noteworthy that Marriott stock has dropped by roughly 5% at the time of writing this blog)
As a company, CyberCube runs Monte Carlo simulations looking at a variety of different outcomes by cost component. Given the scale of the Marriott breach, benchmarked to other similar attacks, losses could easily reach three digit millions for Marriott, with a subset of that covered by insurance depending on the specific coverages the company has purchased.
In its 8K filing, Marriott has stated that the company carries cyber insurance “commensurate with its size and the nature of its operations”, which Reinsurance News is reporting extends to around $250 million.
What does this mean for cyber insurance pricing?
In total, CyberCube analysts have identified at least a dozen material data breaches in the 7011 “hotels and motels” SIC code with material losses (in excess of $500,000) with many in the tens of millions of dollars. These “attritional” single company losses need to be factored into the rates charged by insurers as they model expected loss ratios for different classes of business.
Furthermore, the hotel industry also uses a number of common systems, thus creating aggregation risk for the insurance and reinsurance industry. For example, in CyberCube’s catastrophe modeling, we model the impact of potential hacks against common service providers, including Property Management Systems and Payment Processors, which could lead to losses against many hotel brands simultaneously for the insurance industry.
It’s not yet clear what the cyber insurance industry’s reaction will be to the Marriott breach. In some instances, the industry over-reacts to recent high-profile events. What is clear is that insurers will be taking a closer look internally, and with their modeling partners like CyberCube, into the cyber insurance rates charged to the hotel industry.
Where to from here?
Even for those consumers without lifetime loyalty to Marriott, it may be premature to jump ship to another hotel brand and loyalty program just yet. No doubt, more information will be released about this event in the weeks ahead.
However, for insurers, it is a good time to reevaluate the frequency and severity of attacks against the hotel industry and whether the premium charged is sufficient given the risk profile of this industry segment. Events like these keep insurance executives up at night, with or without a “Heavenly Bed”.