On 30th November 2018, Marriott International notified Regulators of a significant data breach which has exposed up to 500 million guests who have previously stayed in Marriott and associated chain hotels around the world including W Hotels, Sheraton, and Le Méridien.
Reports suggest that there have been ongoing issues stemming back to 2014 where the Starwood guest reservation software has been subject to unauthorised access. Sensitive data has been accessed including passport numbers, names, addresses and dates of births. Marriot are also unable to rule out if payment information hasn’t also been compromised. It is still unsure how Marriott, despite having all the resources they have at their disposal, have been unable to detect and rectify the problem for the last 4 years.
The company now inevitably faces a class action suit in the US. The Insurance Times recently confirmed that the Marriott Group carry Cyber Insurance to protect themselves from such a situation which is ‘commensurate with its size and nature of operations’. Cover is believed to be to levels upwards of $300m. The difficulty in assessing what limit of cover to purchase is clear; the class action which Marriott now face is believed to be as high as $25 per individual breached, so £12.5bn in total. As we watch this unfold, the insurance market sits quietly poised to react to this recent breach and reassess premium levels and terms. It is clear that this is looks to be the largest privacy claim thus far under a cyber insurance policy despite blowing through the coverage that Marriott have in place. The knock-on effect for many other cyber insurance clients may be an increase in premium or a beadier eye on the privacy controls that an organisation has in place.
As with all data breaches we see that the exposure here is far more than just the data itself. Shares have also fallen 5.6% in the Marriott Group and Senators in the US are calling for far more accountability for CEO’s. Senator Elizabeth Warren commenting that “CEOS’s won’t take our data security seriously unless their own jobs are on the line”. It is vitally important that organisations of all sizes take it responsibility for their data seriously. Legislation in the UK and US differs significantly but the accountability for a breach is clear. State by State the US are catching up with the EU‘s GDPR which has been the single most important change in data regulation in 20 years. Its effect on UK organisations has been widely felt placing greater responsibility on them to store and control data safely and a forceful stance on penalties and fines for any form of breach.
Many UK customers of Marriott will be victims. Marriott have responded to the breach by setting up a website to give affected customers more information. It will also offer customers in the US and some other countries a year-long subscription to a fraud-detecting service, but this is too little too late. The response from Marriott to the breach has been tardy, slow and appears they have learned nothing from the Equifax breach back in 2017. In a statement, the UK's Information Commissioner's Office said: "We have received a data breach report from Marriott involving its Starwood Hotels and will be making enquiries. If anyone has concerns about how their data has been handled, they can report these concerns to us."
Marriott join an ever-increasing list of high-profile names to report breaches to the Regulators. FIFA, Google, Equifax and T-Mobile to name a but a few. There is no question, cyber breaches have been a gigantic thorn in the global economy for years but expect them to be even more rampant in 2019. Chronically improving malware, the resurgence of Ransomware and an increase in Nation-State attacks will be deployed. The cyber threat is here to stay, and it remains the number one risk to businesses across the globe.
If you would like to know more about cyber-crime and privacy protection, please contact me at russell@vibl.co.uk or 020 3488 3220