On Friday morning, November 30, one of the largest hotel chains in the world, Marriott International, announced one of the largest data breaches in history. The company declared that unknown hackers had compromised the guest reservation database of Starwood Hotels, a subsidiary, and copied and encrypted the personal information, including some banking or credit card details, of approximately 500 million guests.
Two days earlier, on Wednesday November 28, Dell announced that the company was affected by a potential cybersecurity incident. Dell reported that it had detected and prevented unauthorized activity in its network to extract Dell.com customer information, names, email addresses, and hash passwords. The company did not provide any information on the extent of the incident, which is still under investigation.
The two incidents are not directly related (although a sources reported to Forbes that Marriott was hacked in a former incident probably related to the current event following a mistake by a contracted cybersecurity vendor that appears to be SecureWorks, a cybersecurity provider once owned by Dell), but there are some interesting parallels when comparing the preliminary consequences of the two attacks, especially considering the consequences on the intangibles from the HERMENEUT point of view. Let’s consider, for example, just a few specific types of intangible asset: reputation, brand and trust in the companies. These are usually the first intangible assets to be affected after a data breach, followed by the economic impact on stock markets.
Marriott is a non-technological company whose reputation is an essential asset in the hospitality business. Marriott’s reputation is built on the quality of their hospitality services, not on their cybersecurity robustness. The cyber resilience of Marriott is a consequence of the importance of their customer’s privacy and can therefore be considered from the customer’s perspective as an accessory service. Therefore, monitoring the impact of this breach in the medium and long-term should be of particular interest. This may provide indications of the extent to which an IT risk affects intangible asset whose value is not IT-related.
On the other hand, Dell is an IT company that is a recognized brand in the field and that has a strong cyber security reputation. For Dell, cyber security is not just a product but the heart of the business and the equation, from the consumer’s point of view, is simple: if the organization can be hacked, their products can be hacked as well. Although there is no information on how Dell’s network has been disrupted yet, it sounds as if the company has mastered the situation well and professionally overall. This is another interesting case to monitor the impact on intangible assets for an IT company that appears to have handled the incident in a very professional, organized and thoughtful manner.
Own illustration based on various sources
In the immediate aftermath of the release of the Marriott hack in the news, several U.S. Democratic senators have been calling for stricter privacy laws and substantial fines for companies that fail to protect their customers’ data. They criticize that companies repeatedly fail to prevent the theft of customer data and that the customers have ultimately to pay the significant costs of corporate security and privacy reliance. This call for tough sanctions for companies that neglect appropriate security measures is also a consequence of the GDPR that came into force in May in the European Union and unfolded an influence that goes far beyond the borders of the EU. Data protection can no longer be left to the goodwill of companies that may or may not invest sufficiently in cybersecurity, as some companies possess millions of records whose theft not only has macroeconomic consequences, but also exposes each individual affected to an incalculable threat. The consequences for Marriott in the EU cannot yet be foreseen. However, the British information commissioner has already begun investigations under the GDPR mandate. So far, little is publicly known about the Dell incident.
The insurance and reinsurance market initiated measures last week to prepare for the significant data breach and its consequences. Sources in the insurance market have been speculating for a week about the imminent release of a major cyber incident that will have a significant impact on insurers, reinsurers and the industry as a whole. Property Claim Services (PCS) has since confirmed that it has declared the event a “Global Cyber Industry Loss of Interest”, meaning that it will monitor and report on its impact in due course, including the resulting industry loss. The reinsurance market will also be affected as the loss is expected to be substantial. The insurance market can thus apply the industry loss estimate as input for all cyber industry loss warrants (ILW) or other loss-related risk transfer instruments. Some industry sources estimate that Marriott has between $250 and $350 million in cyber insurance cover – an amount that is expected to be exhausted by the resulting claims. The infrastructure alone, which will be necessary to contact the millions of affected customers, will cause massive costs. Litigation costs and other indemnities will further increase losses as well as the cost of identity protection and account monitoring services. According to Reinsurance News, the reinsurance markets of Lloyd’s, AIG, AXA XL or Chubb could be affected by this event as they are specialized in cyber covers. The Marriott hack has the potential to be the largest standalone cyber insurance loss in history. However, it is still too early to speculate about the scale and associated impacts. The next weeks and months will be challenging for Marriott International and the cyber insurance market.
On the same day of the announcement of the Marriott data breach, the stock plummeted from $122.8 to $114 – a loss of about 7%. On Monday, December 3, the stock recovered about half of its loss before the end of trading. So far there are no reliable figures on the expected damage costs, but losses can run into billions of dollars. A recently published study by the Ponemon Institute mandated by IBM estimates the cost of the loss of 50 million data at $350 million. The study is based on actual financial losses incurred by eleven companies following major data losses in the past two years.
Marriott International Inc. Source: FT NSQ
A class action suit against Marriott filed only hours after the disclosure of the breach offers a first glimpse of the actual possible costs. The plaintiffs demand the equivalent of $25 for each victim to compensate for costs and damages – which would add up to $12.5bn for the 500 million victims. The two Oregon-based plaintiffs told a local newspaper that the $25 was an absolute minimum as an expense allowance for blocking a credit card, for example.
In contrast, the Dell Technologies Inc. share even appreciated slightly the day the cybersecurity incident was announced (1,6%). The stock closed at $104.7 the previous day and closed at $106.42 the day of the announcement (November 28). However, the price movement is rather insignificant and cannot be connected to the incident. As very little information is known so far and the media have rushed into the Marriott case two days later, no relevant conclusions can be drawn.
Dell Technologies Inc. Source: FT NYQ
Additional Sources: 500 Million Marriott Guest Records Stolen in Starwood Data Breach (The Hacker News); Dell announces security breach (ZD Net).
This article has been written by project members Cefriel and BIGS. Cefriel is a digital innovation centre creating and rethinking products, services and processes to enhance and develop digital technologies. BIGS (the Brandenburg Institute for Society and Security) is an independent, non-partisan non-profit institute in Potsdam building bridges between theory and practice to improve research in civil security.