The hacking of a hotel reservation system affecting Sheraton, Westin, Starwood and Marriott could cost up to $600 million for direct losses alone, AIR Worldwide said this week.
AIR, a subsidiary of Verisk Analytics Inc. that produces catastrophe loss models, said Wednesday it estimates losses would be $200 to $600 million. All figures are in U.S. dollars.
Those amounts do not include fines, business interruption, decrease of price, reputational loss or directors’ and officers’ liability.
Marriott International Inc. announced the data breach Nov. 30.
The losses estimated by AIR are not based on any numbers reported by Marriott.
Several class-action lawsuits have been filed in Canada against Marriott, on behalf of consumers whose personal information may have fallen into the wrong hands.
Companies who are targetted by cyber criminals can be sued by people whose data was compromised.
Marriott learned earlier this year that someone was able to access the Starwood guest reservation database, without authorization, since 2014. As many has half a billion records could have been accessed.
In modelling possible losses to Marriott, AIR said it calculated first and third-party losses directly related to the breach. Those include the cost to notify victims, forensics and setting up a call centre. It also accounts for the cost of services for victims including credit monitoring and replacement of credit cards.
There is some uncertainty about the exact amount of the loss for several reasons, AIR said. For one, the credit card data was encrypted, but on the other hand, it is possible that the encryption key was also stolen.
“There is additional uncertainty, as some of these records may be duplicates.”