Marriott International Inc. will be dealing with direct cyber incident losses from its massive data breach of between $200 million and $600 million, according to an AIR Worldwide estimate.

Marriott disclosed on Dec.1 that it had uncovered a massive data breach at its Starwood Hotels and Resorts, with as many as 500 million guests dealing with exposure of their personal data.

AIR said its loss estimate is based on the assumption that 500 million records were stolen. It added the estimate also reflects uncertainty about data that was stolen.

“While credit card data was stolen, it was encrypted; however, the encryption key itself may have been stolen as well. There is additional uncertainty, as some of these records may be duplicates,” AIR Worldwide said.

AIR noted that net financial impact to Marriott will be partially mitigated by the cyber insurance and other liability insurance coverage they reportedly have, which are not accounted for in these estimated losses.

Its modeled loss estimates include first- and third-party losses directly related to the security breach, including notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call center, and any liability covered under an affirmative cyber policy

AIR’s modeled loss estimates do not include any fines that may be levied upon Marriott, including potential fines for violation of the GDPR, D&O and other non-cyber policy related claims, reputational loss, business interruption and decrease of stock price.

AIR Worldwide is owned by Verisk Analytics.

Source: AIR Worldwide

Topics Cyber