It looks like Marriott is making a late dash to reach the top of Santa’s naughty list this year. News broke this morning of a colossal data breach that could impact 500 million people who made reservations at their Starwood Group properties. The customer data within the compromised accounts includes names, email addresses, passport numbers, dates of travel and credit card numbers. The size of the data cache and the sensitive nature of the compromised data is truly alarming. A data breach of this scale will have multiple costly long-term consequences.
The Initial Costs
The notification website that Marriott launched for victims cited elements of the timeline. From that information we can already start to draw a picture of how this breach has already had a financial impact on the company. The company was first alerted in early September 2018 that their systems had been compromised and an investigation was launched to determine the nature of the breach. By November 19th, over 2 months after starting the investigation, the company determined that the impacted data was from their reservation systems which includes customer PII (personally identifiable information). They have established an emergency call center, identity monitoring for impacted guests and the notification website run by Duff & Phelps who are likely providing many more services to the company at this time.
The Cost Impact Today (So Far…)
One of the biggest measures of the initial impact on Marriott is the market’s reaction. At time of publication, just 6 hours after the first reports of the breach, the stock had lost around 5.6% against a market that was in a positive mood at the start of the G20 summit. How the company reacts and how regulators respond to this breach will very likely see some volatility in the stock over the coming weeks and months. Other factors that will raise the mounting bill for Marriott will be their guests’ reactions.
As a Marriott customer, I’m waiting with bated breath for the email that tells me that my details have been compromised. I will very likely jump over to the website that tells me what I should do or will possibly call the hotline if I still have questions. And of course, it will not just be me but up to 500 million other guests who will be doing the same thing in the coming days and weeks. What will be the cost of scaling those systems and processes to meet the demand? And what of guests currently staying at one of their 6,700 properties around the globe? I’m sure they will be asking many questions at their properties. I wonder if more personnel have been brought in to help answer those questions?
The Gift that will Keep Costing
So, what does the future hold for Marriott? There will be the ongoing, mounting costs associated with a breach of this magnitude – the cost of the forensics and incident response, IT, legal and consultancy services to respond to the breach, the identity monitoring for guests impacted, and lost consumer confidence that may impact future reservations and revenues. There will also very likely be other costs associated with regulatory fines and victim compensation. When breaches like this happen class action lawsuits are often not far behind. If there was negligence on the company’s part, and with reports that they may have been compromised for 4 years, those lawsuits could very well have teeth.
The Starwood breach is suspected to have started in 2014. Marriott purchased the Starwood Group in September 2016, therefore the security and compliance due diligence and integration of IT systems that was carried out must be called into question. Did someone miss something?
The other interesting thing to look out for is what the EU regulators will do. We are living in a GDPR world and the data of EU citizens was included in the breach. The breach itself could have a fine associated with it, but the possible 4-year timeline could also have financial implications. Under GDPR an organisation has 72 hours to report to regulators. The flow as laid out by the articles of regulation looks something like this: carry out an investigation, inform regulators and individuals of a breach, and be specific as possible with respect to what data was impacted and how the company plans to respond to the breach – all within 72 hours.
Suspicious Activity Detected September 8th; Impacted Data Identified November 19th; Public Announcement November 30th. That’s well past the 72-hour window allowed by GDPR. Now it could be that Marriot informed regulators in a timely fashion and it has taken them until now to work out which individuals have been impacted. But I suspect that the regulators will be scrutinizing this timeline to ensure that Marriott was justified in how long it appears to have taken to recognize the breach and notify its guests.
The Final Bill?
The Marriott data breach current ranks at number 3 in the table of data breaches by size. There are various industry estimates of the approximate costs of a data breach based on the number of records. The Ponemon Institute has the figure at $114 per record in 2017. Although this represented a decrease in around 10% over the previous year this figure does not include the potential impact of a GDPR fine as those regulations only came into effect in May 2018. From the looks of the situation, Holiday cheer and bonuses may be in short supply at Marriott this year.
Learn how content and context aware data security can help keep you off of Santa’s naughty list this year.
