In late November 2018, Marriott revealed the details of a massive data breach. This involved Starwood’s guest reservations system, with an unauthorized party potentially copying and encrypting information all the way from 2014 until September 10, 2018.
At the time Marriott said that they believed this could contain information for up to 500 million guests, and for about 327 million of those guests, the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
The company has now provided an update on the breach, in particular regarding the number of guests who may have had information, including passport details, stolen.
“Only” up to 383 million guests have been compromised
Marriott has now determined that the information of up to 383 million guests may have been compromised, rather than the information of up to 500 million guests:
Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated. Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident. This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest. The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.
Up to 5.25 million passport numbers have been stolen
Marriott also now believes that approximately 5.25 million unencrypted passport numbers were included in the breach:
Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers. There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.
Marriott says that they are putting in place a mechanism to enable people to determine whether their individual passport numbers were included in the set of unencrypted passport numbers.
Up to 8.6 million encrypted payments cards may have been involved
Marriott has also revealed that approximately 8.6 million encrypted payment cards were involved in the incident:
Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018. There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.
While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests. Further updates will be made to the dedicated website: https://info.starwoodhotels.com.
This whole thing is just a huge mess. I guess it’s good that “only” up to 383 million people were impacted, rather than up to 500 million. It’s still concerning that over five million people potentially had their passport information compromised.