Catastrophe risk modelling firm AIR Worldwide estimates that the direct cyberincident losses for the Marriott breach will be between $200 million and $600 million.

AIR’s loss estimates are based on the assumption that 500 million records were stolen, as Marriott has reported.

This month, Marriott said that in early September it received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott engaged leading security experts to help determine what occurred. It learnt that there had been unauthorised access to the Starwood network since 2014. Marriott recently discovered that an unauthorised party had copied and encrypted information and took steps towards removing it.

Last month, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

AIR said the range of loss estimates it has announced reflect the uncertainty about the data that was stolen, such as whether an encryption key has also been stolen along with encrypted credit card data; and said there is additional uncertainty, as some of the records may be duplicates.

Scott Stransky, assistant vice-president and director of emerging risk modelling, AIR Worldwide, said: “AIR’s new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn’t previously happened to a hotel chain.

“In fact, the largest recorded breach for a US-based hotel chain prior to this event was less than 1/50 the size in terms of the number of records stolen. There are more than 300 simulated events in our model that cause higher losses for US-based hotels.”

AIR’s loss estimates are based on an analysis performed using its Cyber Model. These estimates are subject to uncertainty and are not based on actual policy or loss data reported by Marriott. AIR said the net financial impact to Marriott will be partially mitigated by the cyberinsurance and other liability insurance coverage they reportedly have, which are not accounted for in these estimated losses.