The data breach at hotel group Marriott International, one of the largest ever, could prove an important test for regulators and insurers alike.
In late November, Marriott announced a hack that granted hackers access to the personal data of up to 500 million customers via its Starwood Hotels reservation system. Marriott says it learnt of the data breach on 8 September 2018, although the attack is believed to have started as early as 2014, which pre-dates the acquisition of Starwood by Marriott in 2016. The attack has since been linked to an espionage effort by Chinese hackers.
Hotels are attractive to hackers, as they hold lots of personal data and because they hold lots of personal data and rely on technology for booking and guest services. Increasingly, hotels encourage guests to use apps and smart phones to check in, unlock doors, order services or control the air con and entertainment features. They also rely on third party vendors to provide hotel services, from payment card processing to staffing and maintenance, which are often connected to a single network.
There have been more than a dozen data breaches involving hotel groups since 2010. In October, Hyatt Hotels suffered its second payment card data breach in as many years, while Hilton was fined USD 700,000 in 2017 for its handling of two credit card data breaches in 2014 and 2015. In November, Radisson Group said a security incident had affected members of its loyalty scheme, while in 2017 hotel reservations group Sabre Hospitality Solutions suffered a data breach that affected multiple hotel groups.
The Marriott data breach is the largest data breach of a hotel group and the second largest ever after the 2013 breach at Yahoo, in which three billion user accounts were compromised. Marriott says it has already informed the relevant authorities and has started notifying affected customers.
The breach could easily cost Marriott hundreds of millions – if not billions – of dollars in legal costs, additional security measures and the expense of dealing with the breach. Yahoo faced USD 47 million in litigation expenses for its 2013 breach, while Target and Home Depot each incurred costs of about USD 200 million following data breaches in 2013 and 2014. Ponemon estimates the average cost of large data breaches (50 million records) to be USD 350 million – which suggests that a breach of 300 -500 million customers could cost as much as USD 2-3.5 billion.
Marriott could also face a large fine under the EU’s tough data protection law, the General Data Protection Regulation (GDPR), which came into force in May 2018. Severe breaches of the GDPR command maximum fines of up to 4% of global revenue – in the case of Marriott this would equate to around USD 900 million. The Information Commissioner’s Office (ICO) in the UK, where Marriott’s European headquarters are based, confirmed that it had been notified of the breach by Marriott.
The GDPR requires companies to inform regulators within 72 hours of discovering a data breach. However, Marriott’s breach dates back to 2014, making it difficult to assess what data has been compromised and when. Marriott says it believes that it has complied with all reporting requirements under the GDPR, notifying regulators of the incident when it had realised the extent of the breach.
Litigation is likely to make up a large part of the breach costs. Shares in Marriott fell 5.5% on news of the hack, and within hours US attorneys had filed the first of several consumer and securities class actions against the company. One of the plaintiff lawsuits from consumers is claiming as much as USD 12.5 billion in damages.
Already a feature of US data breaches, litigation has now spread to Europe. Under the GDPR, class actions are more attractive, in part because the new regulations enable consumers to claim for non-financial damages, such as the distress caused by a breach. Research from Thales found 69% of consumers would consider legal action following a breach post GDPR.
A number of specialist law firms have launched class actions following data breaches in the UK, including British Airways, Equifax and Ticket Master. Hayes Connor Solicitors says it is willing to bring a group action against Marriott in the UK.
Earlier this year, the appeals court ruled against UK retailer Morrisons in the UK’s first data breach class action. The case, which highlights the potential for costly data breach legislation and the need for specialist cyber insurance, saw Morrisons held vicariously liable for the criminal actions of a disgruntled former employee, who stole the personal data of 100,000 employees and published the information online. The appeal court judgement suggested that companies protect themselves against potentially ruinous data breach liabilities through insurance.
Following the breach, Marriott says it is working with its insurers to assess coverage. According to Marriott’s annual report, the hotel group holds cyber insurance, although it has not disclosed the deductible or level of coverage. Media reports speculate that the hotel group has between USD 250 million and USD 350 million of affirmative cyber insurance cover.
The breach could result in a large claim for insurers and there will be considerable interest in how the policy responds. On the face of it, the claim should be straight forward, although insurers will look at a number of areas when assessing coverage, including when the attack began, who knew about the breach and when, and steps taken to mitigate the loss. It will also be interesting to see how the policy responds to any potential enforcement action, including defence costs and fines.
Even if Marriott’s insurance responds in full, the total cost of the data breach loss is likely to exceed the group’s cyber insurance limits. In its report and accounts, Marriott appears to anticipate the potential limitations of its cyber insurance, as well as the availability of cover in the future.
“Although we carry cyber / privacy liability insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient to cover all losses or all types of claims that may arise in connection with cyber-attacks, security breaches, and other related breaches. Furthermore, in the future such insurance may not be available to us on commercially reasonable terms, or at all.”
With increased purchasing of cyber insurance, insurers have paid out on some large cyber insurance losses of late. Equifax’s 2017 data breach, which impacted over 145 million consumers, is expected to cost the company USD 430 million in 2018. The company says it has USD 125 million of cyber insurance coverage, and it received insurance recoveries of USD 95 million.
Last year it emerged that US pharmaceutical company Merck was set to claim hundreds of millions of dollars from its insurers following a ransomware attack in 2017. Like Equifax, Merck’s cyber insurance coverage is unlikely to prove adequate. Earlier this year Merck said the cyber attack had already cost them USD 260 million in lost sales and USD 320 million in additional costs, with a further USD 200 million expected. The company has received USD 45 million from insurers, although Property Claim Services (PCS) estimated that insurers will eventually pay at least USD 275 million.
Download Cyber Decoder
For more information please contact Sarah Stephens, Head of Cyber on +44 (0)203 394 0486.