Marriott Reduces Estimates of Those Impacted by Starwood Hack

Marriott Reduces Estimates of Those Impacted by Starwood Hack

The breach involved an intrusion into the Starwood reservations database dating back to 2014, but was only discovered in 2018. In some cases, customers' payment card information, birthdates, and passport numbers.

Marriott only learned of the data theft on November 19, after hackers had accessed records since 2014.

All of the compromised information came from a guest database belonging to Marriott's Starwood subsidiary.

On Friday, Marriott officials said that the investigation into the compromise has revealed that more than five million plaintext passport numbers were accessed during the intrusion. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests.

Marriott said its call center reps will soon be able to help customers figure out if their passport number was exposed.

While downsizing the estimate of how many guests were impacted by the historic breach of its hotel reservation system, Marriott International on Friday announced that roughly 5.25 million unencrypted passport numbers are now among the sensitive data illegally obtained by hackers unknown.

More news: Hundreds of German politicians hacked, excluding those from far-right AfD

Marriott said it had no evidence to suggest that the perpetrators had the master encryption key to unlock encrypted data.

The hotelier now estimates that up to 383 million records were pilfered in the incident, cutting the original figure after data forensics eliminated duplicates.

In addition, the company now believes that about 8.6 million encrypted payment cards were involved in the incident.

"There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers", according to Marriott.

When Bethesda, Maryland, hotel chain initially disclosed the breach in November, the company said that hackers compiled stolen data undetected for four years, including credit card and passport numbers, birthdates, phone numbers and hotel arrival and departure dates.

Marriott said today that the number of customers affected is probably fewer than 383 million because there were often multiple records for a given guest, but that it can't quantify the total due to the nature of the data. In that release, the company said that it believed the incident involved information about up to approximately 500 million guests who made a reservation at a Starwood property* on or before September 10, 2018, although at that point the company had not completed the analytics work to identify duplicative information.