Marriott Data Breach - RiskLens Fast Facts on Cyber Risk in the Accommodations Industry

July 12, 2022  Jeff B. Copeland

Hotel - Data Breach Risk in Accomodations IndustryLatest news

In early July, 2022, hotel giant Marriott reported a relatively small data breach at its BWI Airport Marriott hotel, in an attempted ransomware attack affecting 300-400 clients or employees. The breach was the third reported by the hotel chain in recent years. In May, 2022, a US federal judge gave the go-ahead to a class action suit on behalf of 133 million Americans affected by a breach at Marriott discovered in 2018.

Accommodations (Hotels and Restaurant Chains) Industry Data Breach Count

In 2021, this industry was hit with 156 incidents, 69 with confirmed data disclosures, according to the Verizon DBIR.  That placed the industry at #16 of 21 categories surveyed in the DBIR.  

Most Probable Risks by Incident Frequency and Loss for the Accommodations Industry

According to RiskLens data science, shown below is the likelihood that the common types of cyber loss events (from the Verizon DBIR) will occur on an annual basis for an enterprise in this industry, based on industry averages. (Note: Marriott says its recent loss event began with social engineering).

  • Social Engineering: 4.6% probability of an event costing $45.4 million
  • System Intrusion: 7.7% probability of an event costing $45.3 million.
  • Basic Web Application Attacks: 6.0% probability of an event costing $41.4 million
  • Denial of Service: 2.7% probability of an event costing $6.4 million
  • Insider Misuse: 20.4% probability of an event costing $3.8 million
  • Insider Error: 10.5% probability of an event costing $3.6 million
  • Ransomware: 4.6% probability of an event costing $1.3 million

Assuming only 1,000 PCI records were breached in the most recent loss event at Marriott, RiskLens data science estimates expected losses of about $2.5 million at a company like Marriott . 

Enterprise Size Makes a Difference

Probable loss exposure rises from the baseline with increasing employee count, database records count and revenue count for the enterprise. 

Compared to the above figure for System Intrusion, an Accommodations organization with…

  • Revenue: $10-15 billion
  • Employees: 10,000+
  • Record Count: 1 million to 10 million

…could face an 8.1% chance of a probable loss of $469.5 million in a year, according to RiskLens data science. 

Cybersecurity Controls Posture Makes a Difference

As an example, an Accommodations organization is looking at these chances of a System Intrusion loss event in a year, depending on how well it implemented and maintained controls, based on ratings from Security Scorecard.  

  • A rating = 4.3%
  • C rating = 8.1%
  • F rating = 12.1% 

These stats were pulled from the RiskLens My Cyber Risk Benchmark tool, powered by RiskLens data science (with security ratings from Security Scorecard). See how your industry and your organization stack up – get a free trial of My Cyber Risk Benchmark.