The insurance and reinsurance market is awaiting official notification for a sizeable cyber loss from the Marriott hotel chain, after a data breach exposed up to 500 million customer details, Reinsurance News understands.
This cyber loss has literally just hit the mainstream press headlines in the last hour and involves around 500 million details of customers (or members).
Marriott said that the breach involved its Starwood brand guest reservation database, with its investigation showing that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.
The breach includes some banking or credit card details being lost, Marriott said.
The firm explained, “It contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).”
Marriott said that an unauthorised party had copied and encrypted information from the Starwood reservation database, and took steps towards removing it.
A number of our sources on the underwriting and broking sides of the market have confirmed that the loss notification is expected and likely to be meaningful to those exposed to it.
We’re told that this loss could wipe out the specific affirmative cyber insurance that is in place on the account in question, which we understand extends to $250 million or a little more, with the potential to hit broader business coverages if interruption becomes a factor.
We have been hearing rumours that a new cyber loss was about to hit the market for almost a week now and that it would be hotel chain related.
Some market sources have said that whatever cyber loss event does emerge is destined to hit cyber reinsurance carriers as well, all of which goes some way towards suggesting that there is veracity to the information.
Hotel chains have been hit by numerous cyber attacks over recent years, resulting in a number of cyber insurance and business interruption claims.
This has the potential to be a particularly large loss of customer data, one of the largest seen in terms of numbers and with some banking information and personal details on millions lost, it’s almost certain to prove costly to Marriott and likely to its insurers.
Being a consumer focused sector that deals with significant quantities of customer data and volumes of electronic transactions, it is a prime target for hackers and other cyber criminals.
Property Claim Services (PCS) has since confirmed that it is to designate the event, meaning that it will now monitor and provide reports in due course, including on the resulting industry insured loss.