Marriott Says Breach Exposed 5.3M Unencrypted Passport Numbers


Marriott International revealed Friday that hackers took off with 5.3 million unencrypted passport numbers and details for 354,000 unexpired payment cards in the recent breach.

The 6,700-property hotel chain has lowered its initial estimate of up to 500 million guests being impacted by the breach to now indicating that no more than 383 million records being affected. Since multiple records exist for the same guest in many instances, Marriott said it believes that information for fewer than 383 million unique guests was actually taken by the hackers.

"As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers' concerns and meet the standard of excellence our customers deserve and expect from Marriott," Arne Sorenson, Marriott president and CEO, said in a statement.

[Related: Marriott Breach Exposes Personal Info Of Up To 500 Million Guests]

Sponsored post

In an update to its initial disclosure, Marriott said that the hackers who broke into the Starwood guest database between 2014 and Sept. 10, 2018, made off with 5.25 million unencrypted passport numbers and 20.3 million encrypted numbers.

In addition to the passport numbers, Marriott said the hackers made off with 8.6 million encrypted payment card numbers, of which just 354,000 were unexpired as of September 2018. But given that the thieves were active in the system dating all the way back to 2014, more of those cards could have been active during the initial infiltration.

Moreover, as many as 2,000 of the 15-digit and 16-digit payment card numbers might have been inadvertently entered into other fields and therefore not ended up encrypted. The company is continuing to analyze the determine to determine if they are payment card numbers, and if so, said it will put a process in place to assist guests.

The Starwood Reservations system at the center of the hack, though, was phased out at the end of 2018. Following post-merger integration work, all reservations are now running through the Marriott system.

Marriott is also offering to cover a year of identity-theft monitoring service. Starwood includes brands such as Sheraton, W and Westin, and was purchased in 2016 by Marriott for $12.2 billion.

The company has also set up a dedicated website and call center to deal with questions guests might have about the breach. Marriott's stock was up $6.07, or 5.97 percent, to $107.81 in trading Friday.

Reuters reported in December that hackers behind the breach left clues suggesting they were working for a Chinese government intelligence gathering operation. A Chinese foreign affairs spokesman said relevant departments will carry out investigations into the matter if they are offered evidence.