Marriott Provides Update On Starwood Data Breach

Filed Under: Marriott, Starwood Preferred Guest

In late November 2018, Marriott revealed the details of a massive data breach. This involved Starwood’s guest reservations system, with an unauthorized party potentially copying and encrypting information all the way from 2014 until September 10, 2018.

At the time Marriott said that they believed this could contain information for up to 500 million guests, and for about 327 million of those guests, the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

The company has now provided an update on the breach, in particular regarding the number of guests who may have had information, including passport details, stolen.

“Only” up to 383 million guests have been compromised

Marriott has now determined that the information of up to 383 million guests may have been compromised, rather than the information of up to 500 million guests:

Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated.  Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident.  This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest.  The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.

Up to 5.25 million passport numbers have been stolen

Marriott also now believes that approximately 5.25 million unencrypted passport numbers were included in the breach:

Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers. There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.

Marriott says that they are putting in place a mechanism to enable people to determine whether their individual passport numbers were included in the set of unencrypted passport numbers.

Up to 8.6 million encrypted payments cards may have been involved

Marriott has also revealed that approximately 8.6 million encrypted payment cards were involved in the incident:

Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident.  Of that number, approximately 354,000 payment cards were unexpired as of September 2018.  There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.

While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests.  Further updates will be made to the dedicated website:

Bottom line

This whole thing is just a huge mess. I guess it’s good that “only” up to 383 million people were impacted, rather than up to 500 million. It’s still concerning that over five million people potentially had their passport information compromised.

  1. The credit card numbers don’t really worry me, because as you’ve noted in the past that is easy to track, prevent and fix on our ends. However, nearly 26 million passport numbers is concerning. I have no faith that just because most of them are encrypted, they cant be compromised. I’m not sure what exactly can be done with a passport number, but I’m assuming its slightly more dangerous for the “victim” than a credit card number to have floating around out there. Maybe someone with more knowledge of identity theft can put my mind at ease about this.

    Also, wasn’t this Starwood’s database, and has been going on for years? I’m hesitant to put the totality of blame on Marriott, and you have to believe that upper executives are fuming, purchasing a ticking time bomb without knowing. I guess you can blame them for not doing their due-diligence in looking into SPG’s security. The way they’ve handled it since has also left a lot to be desired. I’ve received a grand total of one email communication from them about this, and it was relatively rosy. Clearly its a little worse than they let on.

  2. Don’t worry – once they get the Bonfire program launch behind them, they can prioritize working on this. Seriously though, this suggests negligence on their behalf. I wonder if they could face GDPR penalties in Europe over this, that would help focus their efforts!

  3. You have to google videos on how tech illiterate Congresscritters are… Not holding my breath for them to pass big punishment on companies for failing to protect customers’ privacy and you can bet that big tech companies will lobby hard against strong data / privacy protection laws.

  4. Not trying to troll here. Why would they have passport numbers? People put passport numbers in their profiles or when the front desk takes them in foreign countries they associate them to the profile?

  5. Is it unhealthy that I’m starting to agree with Debit on something?

    (Well, minus the spelling of Sarbanes–Oxley.)

  6. Once they change the name of the program to “BonFire” things will be fixed and work wonderfully from that point forward.

  7. My main comment is that it was SPG who really fouled this up in the first place, not Marriott. It would appear that Marriott discovered the breach and is left with cleaning up a mess that they didn’t make. It’s unfortunate that they’re the ones tarred with SPG’s error of incompetence.

    All that said, Marriott isn’t doing a very good job with the cleaning up either…….

  8. I hope they are penalized under GDPR in Europe. As others have noted we are sorely lacking in any sort of consequences of data breaches of consumer information in the US. There need to be far more severe consequences, otherwise companies will not prioritize these things. It’s just how businesses are built to work. They respond to market forces – regulation, shareholders, etc. They are too big for consumers to completely abandon them for competitors so that’s not a powerful lever here.

    Unlike some company mistakes, this is completely on the executives. Typically lower level folks in security departments push for more robust solutions, and then are under resourced or denied funding because senior execs don’t find it important enough (and IT is a cost center). I haven’t noticed this changing significantly even with all of the data breaches in recent years…

  9. I wish someone would publicize this more: the SPG hack was not a for-profit attack.

    This was and is a government attack to obtain traveler information, most likely perpetrated by the Chinese, to obtain information about foreign government travelers. It’s why they stayed in for four years rather than get in, get out, and get money.

    I understand why people are mad but it’s not like some 10-year old kid was running this operation.

  10. International travelers outside of the USA are aware that hotels require passports to check in. Even in ever friendly Europe and the UK. Ben knows this.

    Not a good time to bring politics into this. All are to blame for laxity.

    How many companies have had credit card breaches say like Target, Tiffany.

    But not many had passport info.

  11. @Debit – uhm, quit with the racist, ill-informed attacks if possible. while i agree execs need to be held accountable for their corporate mishaps you obviously have no idea what Sarbanes-Oxley (act) was all about. it was all about corporate fraud and nothing to do with a data breach.

    Since the Sarbanes-Oxley act itself is to prevent financial reporting fraud which requires internal controls and external auditing, it doesn’t mean it’s not in play here with the SPG leak (laughable how Marriott refuses to accept responsibility for this). The act itself demands that companies have rules in place to protect information accuracy and reporting yet I’d have to look deeper into the act’s controls themselves towards any type of customer confidentiality requirements as it wasn’t specifically created for that.

    I can say that my company has adopted very specific and deep requirements (that have been in place at least ten plus years) towards SOX compliance around customer data, encryption, storage with quarterly reviews.

    So, while these companies have well defined obligations to the Federal Government via Law, its unacceptable at this point in time for them to cry wolf when confidential data is lost. The Law enforced controls and systems are in place for many parts of their business, yet they turn a blind eye by not auditing the other portions? It’s time for a SOX reform.

  12. *should have read my post before hitting send.

    In re: to my company, not saying we’re immune from a data breach but that we have adopted SOX controls to all data protection portions across the entire corporation – not just on the financial side. All companies can and should do this.

    I don’t think Congress can continue turning a blind eye to these breaches. There is a framework in place… it just needs to be extended and passed into law.

  13. @Tom – I’ve been hoping that was the case as Cyber research firms initially reported because IMO, foreign governments likely wouldn’t do the same harm to me financially as for-profit Cyber criminals.

    Yet, it cannot be confirmed who did it. Hackers are often using each others’ methods (stamps) to try and throw investigators off of their own tracks.

    Until the US Government actually accuses China of this, the public will never know beyond speculation who the culprit was.

  14. The only place I use my Chase Marriott visa is Marriott. The number has been stolen and changed at least four times since 2013. So no, I don’t believe spg holds the blame here.

  15. I’m curious, What’s the scenario how passport numbers can be use nefariously? Make a fake one and pretend to be us?

  16. A picture of my entire passport was stolen. I received an email from a hacker with the picture copy attached asking for money. I’m almost positive this happened when I was in Egypt as my hotel set me up with a VIP service to assist at the airport and they ran off with my passport for several hours (my flight was delayed). The guy that was my airport guide was a jerk off and I could see him doing this. The picture included both my passport and passport holder, so it had to have been by some asshole who physically had my passport.

    In any case, I immediately researched what the hacker could potentially do with the info. Nothing. All passports are encrypted with certain codes that can’t be faked. The worst that could happen is someone makes a fake passport with your info to use as general identification. They could never travel with it.

    Nonetheless, I reported my passport stolen and had a new number issued since the hacker had all the details of my passport including birth date. With this hack, I doubt the hackers have more than just the passport number and expiration date.

  17. Re Marriott, does anyone trust these compulsive liars anymore? Are the “improved figures” an attempt to discourage law firms from getting into the fray? Where are the executives (especially Bruce Duncan former Chairman of Starwood now on the Marriott Board)? CEO Sorenson has been switched to mute and sent away [“Arne Sorenson has not answered questions about the hacking in public and Marriott said he was traveling and declined a request from The NY Times to talk”] Transparency indeed!
    “Bottom line. This whole thing is just a huge mess”. Yes, and created by Marriott’s failure to conduct proper due diligence during and after the merger process with Starwood. Who is investigating that? Who is going to take responsibility?
    In 2017 Equifax’s CEO Richard Smith resigned following a backlash over a hack at the company that compromised the data of 143 million Americans. In 2018, along with the data breach, Marriott also had to sort out its China gaffe, deal with employee strikes and cope with loyalty programme glitches. It’s time for Sorenson to go…

  18. Passport data doesn’t worry me too much … it’s almost public data anyway. Whenever you are taking a guided tour, doing visa on arrival in most countries, filling immigration forms which then end up in the landfill (after being processed by officials) etc. this information is made public. I do not consider this confidential information.

  19. In a funny sort of way I agree with you Andy. The bigger issue is Marriott itself and its legal and regulatory commitments as a PLC. Marriott is duty bound to follow due process and it failed to conduct appropriate due diligence during the merger and beyond (and I have to say not only in this context). The regulators are asleep (or corrupt) and the hotel industry is thereby unregulated. The regulators are naively parochial (or corrupt) and the corporations global (and definitely corrupt). Everything is out of kilter and we must recognise the seriousness of the situation. Forget about Chinese spies and passport data; look at the bigger picture which involves the corruption, greed and negligence of large corporations. If you’re not harmed in this particular case you will be in another, be assured of that. Due to Sorenson, Marriott is now a rotten fruit which cannot ripen again.

  20. I’m with Lilian on this one — passport #s really aren’t all that useful these days.

    I’m not letting Marriott of the hook on the issue, but it’s one they inherited from Starwood rather than the current abortion that is Cloud.

Leave a Reply

If you'd like to participate in the discussion, please adhere to our commenting guidelines. Your email address will not be published. Required fields are marked *

Reminder: OMAAT comments are changing soon. Register here to save your space.