Marriott Data Breaches and Cybersecurity Insurance: A Case Study

Author: Laura-Jane Hatcher

Months after disclosing one of the largest data breaches in history, Marriott announced their out-of-pocket expenses from the incident were only $1 million. This amount was shockingly low considering that the data of 383 million guests, including unencrypted payment card information, had been compromised.

The reason? Marriott’s robust cybersecurity insurance coverage, which footed $71 million of the $72 million total cost. Though the international hotel chain still continues to face fines, legal fees and other expenses, the lesson is clear: cybersecurity insurance played a significant role in mitigating the financial impact.

Nearly 20% of all hotels have already experienced a data breach and, with cybercrime posed to rise dramatically in coming years, it’s unsurprising that most experts agree cybersecurity insurance is a necessity.

Yet, as shown by the three breaches that Marriott has experienced, a comprehensive insurance policy is only one instrumental tool in a complete cybersecurity toolkit.  Prevention is key. To that end, let’s see what lessons can be gleaned from the infamous Marriott data breaches to protect hoteliers against ever evolving cybersecurity l threats.

Timeline

2018:

*Marriott reports the discovery of a breach in their reservations/database.
*Unrestricted access began in 2014 in Starwood guest reservation systems, two years before Marriott acquired the major hotels & resorts franchise.  
*For four years, hackers had remote access to networks after installing a malware RAT (remote access Trojan,) evading detection by re-encrypting data after it was stolen.
*This data breach remains one of the largest ever, exposing eight million guest credit card numbers, with an estimated cost of $2 billion in fines and legal expenses.  

2020:

*A second breach is discovered at a Marriott franchise hotel in February, compromising the data of 5.2 million guests.

*Login information for two employees stolen in a January break-in, allowing criminals to freely access the guest database.

2022:

*Marriott is targeted again, suffering their third data breach when an unnamed hacking group preyed hotel staff by using social engineering techniques to steal their credentials.

*Criminals released 20 gigabytes of customer data, including guest credit card numbers.

Marriott’s Masked Cybersecurity Insurance

It can’t be overstated: Marriott’s robust cyber insurance greatly reduced the financial burden that a data breach of this magnitude could incur. In the four years since, the costs keep continuing. Between the hefty $23 million fine by UK’s GDPR and multiple class action lawsuits, this incident could end up costing the hotel giant upwards of $3.5 billion before the dust settles.

That leaves an important question: how much more will their insurance cover?

Little is known about Marriott’s cybersecurity insurance provider, including their level of coverage or their deductible.  Beyond the initial $71 million payout in 2019, they’ve been tightlipped about any payouts they’ve received, with the only references to their insurance carrier being found in their quarterly filings to the SEC.

Marriott’s September 2021 SEC filing states they are dealing with the rising costs of cybersecurity insurance across the board, further compounded by their recent data security incidents. They warn that, “…costs for our cyber insurance increased with each of our renewals over the last several years, and the cost of such insurance could continue to increase for future policy periods.”

With this in mind, there are lessons to be found for hoteliers beyond just having insurance in place. Personalized Cybersecurity Insurance Coverage

It’s a unique time for the cybersecurity insurance marketplace. Premium costs may be on the rise, but these policies are still relatively new. Only 35% of hospitality businesses currently have coverage, giving hoteliers a degree of leverage when negotiating a policy that works for their organization.

It can be tempting to choose an out-of-the-box solution, but this may not be the best answer to your organization’s needs. From the information Marriott has divulged, their policy has clearly been tailored to include additional support beyond just first party coverage.  

Purchasing a policy that has third-party or cyber liability may be a bit pricier, but doing so could see your teams financially protected from:

*Legal fees.

*Court costs & settlements.

*Regulatory fines (such as those levied by GDPR).

As hotel portfolios vary in size, determining what level of protection your organization needs is up to you. However, a good starting point is to review the amount of guest data your organization currently stores. As the average data breach amounts to about $250 per compromised record, so a larger portfolio could see astronomical expenses in court costs alone.

In the case of Marriott, this is integral because they’re currently facing a class action lawsuit for the 2018 breach that could reach an outstanding $12.5 billion in costs and losses. However, depending on the number of clients your portfolio services, legal coverage may not be as important.

This is where underwriting comes in. In ten years, this option may not be as readily available to hoteliers,. But, as cybersecurity insurance is still in its relative infancy, tailoring a policy to your portfolio’s data and risks is still an option. This gives your organization leverage to secure the personalized coverage it needs.  

Prevention

Even the most robust cybersecurity insurance cannot prevent all the monetary loss in the event of a major data breach. While it may cover investigations and fines, reputational damage can be catastrophic. Research shows a data breach can cause a 5% decline in share price and a 7% loss in customer base. Add to that the incalculable personnel hours devoted to all three incidents and it’s clear that insurance cannot be your only line of defense. Prevention is paramount to maintaining a sound financial position.

There are several preventive measures Marriott could have taken to minimize or completely thwart all three breaches.

Data Management & Support

A singular vulnerability did not cause Marriott’s initial breach to be as impactful as it was. The consequences of their breaches were compounded by improper data management and poor security policies.  Starwood’s guest reservation system had already been breached before Marriott purchased it, allowing hackers to actively steal data for two years undetected in the infamously insecure network.  Making matters worse, much of Starwood’s IT workforce were laid off in the acquisition.

As the threat of breaches grows year by year, giving your IT teams the support and tools they need is vital to maintaining a secure cybersecurity posture. Resources like those offered in VENZA’s Everest Program™, which includes robust data protection solutions to ensure your network is secured. Likewise, setting forth policies and procedures for safeguarding personally identifiable data keeps your organization aligned with the multiple compliance regulations surrounding Personally Identifiable Information (PII).

Data Security Training

Securing your network is not just about fortifying your infrastructure. 

Despite patching the vulnerabilities exploited in 2014, Marriott still suffered two subsequent data breaches soon after. Both attacks were perpetuated by threat actors using social engineering techniques that manipulated hotel staff into revealing credentials to gain unrestricted access to their network.   

Over 70% of all data breaches are perpetrated through social engineering attacks. The number one defense against it? Training.

Not only should associates be educated against the threats targeting them, hoteliers must also create a culture of security awareness, giving cybersecurity threats the same weight as physical security protocols and measures.

It may seem unmanageable, but VENZA is here to help! We provide top-of-the-line educational resources and learning and offer a personalized Customer Success Coach dedicated to fortifying your ‘human firewall.’

Feeling overwhelmed? Don’t be. VENZA is here to help. Cybersecurity is complex, but in partnership with us, your company can get started in as little as one month. Get a live demonstration today by contacting our Customer Success Team

Ready to elevate your game? Contact Sales to discuss signing up for our programs or adding new solutions to your contract. 

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Human Firewall

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.