Marriott: History’s biggest corporate data hack could lead to half a billion dollars’ worth of costs for hotel chain

Countless data breaches hit the headlines through 2018, but none so dramatic and potentially far-reaching as that disclosed by Marriott International at the end of November.

Latest analysis taken from a risk model created by AIR Worldwide now suggests that the incident could cost the global hotel group up to $600m, Computer Weekly reports.

The breach, which continued to hit the hotel chain’s Starwood division between 2014 and 2018, ended in around half a billion pieces of consumer data being compromised in what is the biggest hack in corporate history. AIR has concluded that the mammoth intrusion could now have direct costs of between $200 and $600m.

As stated by an official release, AIR said:

“AIR’s loss estimates are based on the assumption that 500 million records were stolen, as Marriott reported. The range of loss estimates reflects the uncertainty about the data that was stolen, e.g., while credit card data was stolen, it was encrypted; however, the encryption key itself may have been stolen as well. There is additional uncertainty, as some of these records may be duplicates.”

Crucially, the expert assessment does not take into consideration any potential fines leveraged through the EU’s General Data Protection Regulation, which are likely to be considerable; the GDPR can issue penalties of up to €20m or 4% of annual turnover, whichever is greater, for the gravest data breach cases.

Further collateral costs through reputational loss, stock price falls and disrupted business are also yet to be factored in.

AIR Worldwide’s director of emerging risk modelling, Scott Stransky, said:

“AIR’s new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn’t previously happened to a hotel chain. In fact, the largest recorded breach for a US-based hotel chain prior to this event was less than one-fiftieth of the size in terms of the number of records stolen.”

After its announcement of the incident, Marriott International was prompt to announce a full investigation as a first response.

The chain’s Marriott-branded hotels were unaffected by the breach because they operate on a separate reservation system and on a different network to the Starwood hotels which include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton.

A hacking presence was first detected on the Starwood database when an internal security tool found an unauthorised presence trying to infiltrate the IT systems. A subsequent probe found that a nefarious third party had copied and encrypted personal data.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.