Marriott Data Breach – Did Corax Predict it Right?

The Marriott breach provides a ‘live’ opportunity to demonstrate an important challenge facing companies and the insurance industry alike – how much can you rely on predictive models for cyber events?

Corax tests the accuracy of its cyber predictions in two ways. 

Firstly, we test our model’s ability to predict known past events. Take the example of Target’s breach of 40 million data records in 2014, which cost $162M. Today, a $162M loss event in our modelling of Target, occurs as a 1 in 22 year event. In the eyes of the insurance industry a 1 in 22 year event is a justifiable return period, and is therefore a reasonable prediction. Secondly, we test our model’s ability to ‘predict’ events before they occur – and here’s where Marriott is an interesting example. What was Corax’s prediction for Marriott? Prior to this breach occuring, our model estimated a 78% probability of a breach occurring over the next 12 months. Why not 100%? Corax doesn’t predict events with 100% probability. Our predictions are based on the behaviour and configuration of organisations where they correlate well with known vectors of attack. For example, any Marriott databases exposed to the internet, which Corax discovered, is certainly bad configuration (and potentially how this breach started and why we estimate 78% probability compared to a probability of 48% for its peer group) but there isn’t 100% guarantee that a malicious actor would leverage this. Our model also estimated that the loss cost to Marriott would be $330M, $490M and $600M for a 1 in 40 year, 1 in 50 year and 1 in 75 year cyber event respectively i.e. events comparable to the breach reported today. How accurate are those cost predictions? It’s too early to say, but stay tuned as we track the costs as they’re reported over the coming months… What did the other vendors predict? Why not share your predictions too… collectively did we range in on the right numbers?