[BreachExchange] GDPR May Add Up To $8.8B Marriott's Data Breach Expenses

Destry Winant destry at riskbasedsecurity.com
Thu Jan 10 02:23:18 EST 2019


https://www.forbes.com/sites/yiannismouratidis/2019/01/09/gdpr-may-add-up-to-8-8b-marriotts-data-breach-expenses/#1143d67862e1

Marriott data breach is under investigation in several countries,
where the hotel and resorts giant has a presence. In the E.U.,
Information Commissioner’s Office (ICO) leads the investigation. It is
the UK independent body set up to uphold information rights. Local
authorities of each country are interested to participate as
'supervisory authorities' in the cooperative framework of GDPR.
According to ICO as the investigation is at an early stage no official
attribution has been made. Given that the global annual revenue of the
company reached $22.89 billion in 2017 and the strictest fine could
amount to 4% of it, the sanctions imposed by the E.U. could be
translated to $8.8 billion. This will probably surpass the amount of
$3.5 billion, analysts initially estimated some days after the
incident went public. In addition, it is possible that some clients
may take legal action against the company and claim damages which will
elevate the cost of the breach even higher. In the worst case scenario
if it is proved that the company was fully aware of the hacker attack
well before it was revealed, then the Securities and Exchange
Commission of the U.S. will pursue a prosecution against Marriott on
the grounds of causing serious losses for its investors.

The exposure is smaller than initially estimated

On January 4, Marriott International issued a new announcement about
the incident which determines the height of the damage. According to
the latest report the attack involved 383 million guest records
instead of 500 million initially estimated. Another clue is that 5.25
million unencrypted passport details were exposed in the breach
together with 20.3 million encrypted passport numbers. As passports’
numbers may be used by criminals as an alternative form of identity, a
number of affected customers, under certain conditions who will issue
a new passport may be eligible for $100 compensation.

In the revised data breach notification there is no change concerning
the number of breached payment cards, which amounts to 8.6 million
encrypted cards of which some 354.000 were still active as of
September 2018 which raises the possibilities for criminal use by
unauthorized third party. Given that the data breach started in 2014
it is possible that some of the expired payment cards have been used
in the past.

Marriott tries everything in its power to avoid the worst

Trying to help its customers and avoid the full fury of the E.U.
privacy regulator plus the heavy financial implications involved,
Marriott has taken some generous steps, such as offering compensation
to breach victims for passport replacement, moreover, there is a
special call center and an informative web page giving answers to all
the possible questions of guests affected and lastly what sounds as a
sigh relief  is the fact that a big part of data was encrypted and
therefore more difficult to be hacked.

In the aftermath, we consider there are very few possibilities that
Marriott will receive the maximum penalty unless it is proved that
there was no instant notification of the issue to the supervisory
authority. Marriott data breach was the first that made headlines
after GDPR came into effect last May, but it is not the only one
reported. There are more than 200 intrusion incidents, being probed
into, that call for cross borders cooperation. Some of them concern
sensitive personal data breaches.


More information about the BreachExchange mailing list