In our latest blog post, Freddy Knight, Cyber Practice Specialist, considers the impact of the recent, high profile Marriott Data Breach.
On the 30 November 2018, reports started to emerge of a potential data security incident involving the Marriot hotel chain; more specifically, the Starwood guest reservation database. This large-scale incident is likely to have far-reaching implications, and affect not only those guests whose details were compromised but also the insurance industry itself.
On the 19 November 2018, an investigation determined that there was unauthorised access to a database, which contained guest information relating to reservations at Starwood properties* on or before the 10 September 2018. On the 8 September 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States and later learned that there had been unauthorised access to the Starwood network since 2014.
The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.
For approximately 327 million of these guests, the information taken includes some combination of the following:
- Mailing address
- Phone number
- Email address
- Passport number
- Date of birth
- Arrival and departure information
- Reservation date
- Communication preferences
For some, the information also includes payment card numbers and expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.
Marriot have confirmed to The Insurance Times that that the “company carries insurance, including cyber insurance, commensurate with its size and the nature of its operations”. Other sources in the reinsurance world are noting cover in place with limits somewhere between $250 million and $350 million, across a number of Insurers.
The impact on the insurance industry and clients
So what does this mean for the industry and its buyers, our clients? Reinsurance News is reporting that Property Claims Services (PCS) is now investigating the attack and has designated it as a Global Cyber industry loss of interest. As a designated PCS Global Cyber event, the firm will now monitor and collect claims data for the loss and feed it back to its subscribers.
As Cyber cover is relatively new, each loss we are seeing is helping shape the policies available to buyers, and the sheer size of this loss alone will make it a key marker for insurers providing Cyber Insurance to the market.
As with the recent British Airways and Morrisons data breaches, eagle eyed law firms have already begun filing class actions against Marriot with some reports quoting figures of $12.5 billion in damages, or $25 for each of the 500 million individuals affected by the breach, being sought. Should these compensation claims be successful, it would result in insurers carefully reviewing the rates given to the Privacy Liability sections of their policies.
Business interruption and reputational damage
Outside of Liability, Insurers could also find themselves paying considerable amounts in respect of Business Interruption. The database at the centre of the hack will no doubt require some serious security improvements and, should this affect their reservation system, it could result in a damaging amount of downtime for the hotel chain. In addition to the Liability and Business Interruption losses, Reputational damage following an event of this magnitude is almost inevitable, so, as you can see, Insurers could find themselves with colossal amounts to settle across a number of sections of their policies.
In summary, we are watching an event pan out that has potential to be the largest standalone cyber loss in history. How will this affect the insurance industry and its buyers? Nobody knows for sure, but you can be certain that it will.
What to do if you were affected by the Marriot data breach
CNN Business is advising individuals who believe that may be affected by the breach to:
- Change your password
- Monitor your accounts for suspicious activity
- Limit the information you share
- Avoid saving credit card information on websites
- Be vigilant
Talk to us
If you would like to learn more about how we can help you with cyber insurance, please get in touch.
Call us on 0207 089 2900 or email us at firstname.lastname@example.org
*Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.