It’s too soon for Marriott International Inc. to estimate the cost of the massive cyber breach that the company disclosed last week, and other companies that have suffered big attacks are imperfect proxies, said Chief Financial Officer Leeny Oberg at an investor conference today.
“Any situation that you’ve seen from other companies, they are all highly individual, and no one should make an assumption about, if it was this way for one company, it will be that way for another,” Oberg said at the Barclays Gaming and Lodging Conference, marking the first public comments by a top executive since the company disclosed the hack. “You do expect there will be material costs associated with this.”
Marriott said Dec. 1 that personal data for as many as 500 million guest was exposed in the breach, according to the company’s statement. The hack affected the system for Starwood Hotels and Resorts, which Marriott acquired for $13.6 billion in 2016, and in some cases exposed credit card data, passport numbers and loyalty account information.
The company could face $200 million in fines and litigation expenses, and could spend about $1 per customer notifying victims and providing free data monitoring services, according to a note last week from Morgan Stanley.
The company’s legal liability could be even higher, according to Bloomberg Intelligence analysts Tamlin Bason and Holly Froum, who estimated costs as high as $1 billion, including a potential fine of about $450 million – or about 2 percent of the company’s 2017 revenue – under Europe’s General Data Protection Regulation.
Now Marriott faces investigations from state attorneys general, European regulators and the prospect of consumer litigation. The company is also facing pressure from the Senate Commerce Committee, which set a deadline of Dec. 17 for the company to provide details of its investigation and a timeline of events.
Marriott is still investigating the extent of the breach and is in the process of notifying customers, according to a spokeswoman. The company said it will pay for a web-monitoring service, and will also cover the cost of replacing passports. It carries insurance that will cover some of those costs.
Hospitality was the third-most targeted industry according to a report this year from Trustwave Holdings, an information security firm. It’s common for thieves to target credit card readers in point-of-sale attacks, as are campaigns designed to trick front desk clerks into downloading malicious software.
Hilton Worldwide Holdings Inc., Hyatt Hotels Corp. and InterContinental Hotels Group have all been targeted in past attacks, though the Marriott breach dwarfs those hacks in terms of number of guests affected.
Marriott has been investing in improving data security for years, and is stepping up investing even faster as a result of the breach, Oberg said.
“As you think about the system that existed in 2013, 2014, 2015 in general corporate America as compared to now there’s already been dramatic improvement,” said Oberg.”This is about keeping up with the bad guys. They’re only getting more sophisticated.”