Marriott International Data Breach: A Major Industry Event
Tom HarveyDecember 13, 2018
On September 8, 2018, Marriott International received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. A subsequent investigation carried out by security specialists firm Kroll, determined unauthorized access had taken place. As the investigation progressed, Marriott discovered that the Starwood network had been accessed since 2014. An unauthorized party had also copied information and had taken steps towards removing it.
In its statement on November 30, Marriott stated that it had not finished identifying this duplicate information in the database, but believed it impacted around 500 million customers. For approximately 327 million of these guests, the information includes some combination of name, address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, and arrival and departure information. For some, the information also includes payment card numbers and expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).
With regards to the potential perpetrators, rumors have spread that Chinese state hackers might have been behind the cyberattack, although as with most cyberattacks the attribution to a specific threat actor is a lengthy and uncertain task.
Potential Financial Impact
The Marriott International data breach is clearly a significant industry event. This data breach is by far the largest – in terms of the number of records lost – to impact the global hospitality sector. Other notable breaches impacting this sector include Huazhu, a Chinese hotel chain, that lost 130 million records in August 2018. Hilton lost 350,000 records in a breach in 2015, and market-leader Wyndham had 500,000 records breached back in 2010.
RMS expects the insurable losses for this event to exceed US$160 million and potentially reach in excess of US$250 million. This number is based on the latest RMS model research and incorporates potential uncertainty around how the event might play out, with litigation being a major potential contributor to the eventual loss as well as a source of considerable uncertainty. These losses are calibrated against historical insurance claims data.
Cyber Insurance Coverage
How this economic loss will impact the insurance industry is yet to be determined. However, in its annual report, Marriott stated that it carries cybersecurity liability insurance, but it does not disclose the deductibles or level of coverage. The report states:
“…although we carry cyber/privacy liability insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient to cover all losses or all types of claims that may arise in connection with cyber-attacks, security breaches, and other related breaches. Furthermore, in the future, such insurance may not be available to us on commercially reasonable terms, or at all.”
It is uncertain how large a cyber insurance tower Marriott has in place, although a limit of in excess of US$100 million is not unusual for companies of Marriott’s profile.
As the recent Equifax breach shows, the costs of law suits, new technology, and brand damage all add up. In its last quarter’s filing, Equifax said it had spent US$430 million on the data breach incident. With the full impact of the Marriott breach still emerging, losses certainly have the potential to be significant and the potential hit to Marriott’s insurers is substantial.
RMS will continue to monitor this situation and will work to update our clients with additional information as and when it becomes available.
You May Also Like
October 10, 2019
Cyber Risk Seminars Introduce New Solutions to Address Evolving Threat Landscape
During September, RMS ran a series of cyber risk seminars in London and New York. These half-day events coincided with the release of RMS Cyber Solutions version 4.0 and featured both RMS and industry experts discussing cyber risk and the opportunities for the cyber insurance industry.
At both events, the day kicked off with Dr. Andrew Coburn, senior vice president for RMS, examining recent developments within the cyber risk landscape by outlining the approach RMS takes to tracking and categorizing the wide range of evolving threat actor groups. He also proposed some key future trends, such as the potential impact of a “gloves-off” nation-state cyberattack and its implications for the cyber insurance industry.
Former ethical hacker Eireann Leverett dug deep into the topic of contagion mapping and how hacking groups – both good and bad, are utilizing innovative techniques to map out the digital world. He also touched on the growing use of deepfakes in spear phishing attacks, whereby executive identities are faked to trick employees into fraudulently transferring funds out of the business.
To provide the industry’s perspective, we were delighted to be joined by two expert panels in London and New York discussing the cyber market and the role of models to support growth. Thanks to Jamie Pocock (Guy Carpenter), Laila Khudairi (Tokio Marine Kiln), Rory Egan (Munich Re), and Kirsten Mitchell-Wallace (Lloyd’s) for participating in London, and to Anthony Shapella (AIG), Jon Laux (Aon), and Kara Owens (Markel) in New York.
RMS Cyber Risk Seminars held in London (left) and New York (right)For the second half of the agenda, members of the RMS cyber team focused on the release of RMS Cyber Solutions version 4.0. This release features substantial enhancements to the RMS model and capabilities across several key areas including exposure data enrichment, expanded model data sources, and new stochastic modeling approaches to quantify cyber risk.
Dave Gatey, senior director – modeling for RMS, revealed how new modeling methods, such as agent-based modeling and multi-compartment models were being used in RMS Cyber Solutions v4. Chris Vos, lead modeler for RMS, took to the stage in New York, and myself in London, to give context as to how these improvements to the model and software will assist clients in understanding their cyber risk and therefore making better decisions for their business. In New York, the RMS cyber seminar was followed by a half-day terrorism seminar.
Introducing RMS Cyber Solutions Version 4.0
For many insurers, obtaining complete and accurate exposure data from cyber submissions remains a challenge. Often, these submissions are missing key information such as business revenue, profit, or business sector – all attributes that are critical to understanding the potential effect of cyber events.
To address this, RMS has released a company database consisting of 13 million companies across 30 countries, alongside a data enrichment engine that uses a custom similarity matching algorithm to allow users to enrich their exposure data. This will help ensure the inputs into the model are as accurate as possible, reducing model uncertainty, and minimizing an insurer’s data collection efforts.
Although historical data does not show you the whole picture when it comes to cyber risk, it is still critical to inform the lower return period scenarios. To enable this, RMS has invested substantially in automating our historical event data collection techniques by employing bespoke machine learning algorithms that extract event data from hundreds of thousands of unstructured data sources. These new data sets cover multiple event types including breach, malware, ransomware, and cloud outages and allows our v4 model to be run at a significantly increased level of granularity, supporting greater risk differentiation.
RMS has continued to research the causal processes that drive cyber risk, working closely with our partners across cybersecurity and academia, to map out and build simulations of these underlying processes. By stochastically modeling these individual components and applying game theory models to explore threat actor behavior, we can extract probabilities associated with both short- and long-tail cyber events.
Investing in Cyber-Physical Loss Models
Finally, RMS has maintained its substantial investment in cyber-physical loss models. These models take data from the EDM (the RMS property exposure data store) and other casualty classes to quantify the impact of clash-type cyber catastrophe events such as power blackouts. This allows insurers to explore the potential for silent cyber losses across their business, supporting regulatory reporting. Many insurers are exposed to this type of cyber risk, even if they don’t write affirmative cyber insurance policies.
These new insights and models continue to be delivered within an open modeling framework, allowing complete transparency into each of the modeling components. This transparency allows users to validate each component and create custom models to support their own view of risk.
This new solution from RMS represents a significant step forward for the insurance industry to model its cyber risk. For more information, please contact firstname.lastname@example.org.…
Tom is the Head of Cyber Product Management for RMS, and since early 2015 has worked together with the Cambridge Centre for Risk Studies and RMS’ development partners to bring the RMS Cyber Accumulation Management System and subsequent RMS Cyber Solutions to the market. Tom joined RMS in 2013 as a technical sales expert assisting a number of leading (re)insurers further their catastrophe management practices.
Prior to joining RMS, Tom spent 4 years at Hewlett Packard Software within the European presales team working closely with a number of HPS’ IT security products.