Catastrophe risk modelling firm AIR Worldwide has estimated that direct cyber incident losses emanating from the recent Marriott data breach will range between $200mn to $600mn.

AIR said that its loss estimates are based on the assumption that 500 million records were stolen, as reported by Marriott. 

The firm said that the range of loss estimates reflects the uncertainty about the data that was stolen, for example while credit card data was stolen, it was encrypted; however, the encryption key itself may have been stolen as well. It said that there is also additional uncertainty, as some of these records may be duplicates.

AIR’s loss estimates are based on an analysis performed using its cyber model and are subject to uncertainty and are not based on actual policy or loss data reported by Marriott.

AIR said that the net financial impact to Marriott will be partially mitigated by the cyber insurance and other liability insurance coverage the hotel group reportedly has, which are not accounted for in these estimated losses.

The firm said that its modelled loss estimates include first- and third-party losses directly related to the security breach, including notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call center, and any liability covered under an affirmative cyber policy.

However, it highlighted that they do not include any fines that may be levied upon Marriott, including potential fines for violation of the GDPR, directors’ and officers’ and other non-cyber policy related claims, reputational loss, business interruption, decrease of stock price, nor the impact of any insurance coverages that Marriott may use to recover their losses.

“AIR’s new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn’t previously happened to a hotel chain,” said Scott Stransky, assistant vice president and director of emerging risk modelling at AIR Worldwide. 

“In fact, the largest recorded breach for a US -based hotel chain prior to this event was less than 1/50 the size in terms of the number of records stolen. There are more than 300 simulated events in our model that cause higher losses for US based hotels.”

In a statement on 30 November, Marriott revealed that on 8 September, it had discovered unauthorised access to its Starwood brand guest reservation database. During the investigation that followed, it learned that there had been unauthorised access to the Starwood network since 2014.

The hotel group believes that the database contains information on up to approximately 500 million guests. For around 327 million of affected guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood preferred guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

Marriott also cautioned that, for some of these accounts, the information also included payment card numbers and payment card expiration dates. Whilst the payment card numbers were double-encrypted, Marriott said that it was unable to rule out the possibility that both the components required to decrypt them were stolen by the hackers.