Marriott Says Data Breach Estimate Lower Than First Reported
by Kerry Tice
Marriott said the total number of guest records involved is less than the initial disclosure – closer to 383 million records, and it could be even fewer. Photo: Alexandros Michailidis / Shutterstock.com.
Marriott International has updated its initial estimate of the number of guests who were impacted by the massive data hack that occurred through its Starwood reservations database and was discovered in mid-November.
The hotel giant – owner of multiple brands, including W Hotels, Westin and Sheraton – originally revealed that about 500 million Starwood guests were affected by the breach that included possible access to passport and payment card numbers. However, after further investigation, Marriott has determined that the total number of guest records involved is less than the initial disclosure – closer to 383 million records, and it could be even fewer guests as there appear to be multiple records for many of the guests involved.
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” said Arne Sorenson, Marriott’s president and chief executive officer. “As we near the end of the cyber forensics and data analytics work, we will continue to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
With regard to passport numbers, Marriott now believes that approximately 5.25 million unencrypted and 20.3 encrypted passport numbers were included in the information accessed by an unauthorized third party. The company said there is no evidence to support that the third party was able to access the master encryption key that could be used to unlock the encrypted passports.
Marriott also stated that it believes about 8.6 million encrypted payment cards were involved in the incident, of which 354,000 were unexpired as of September 2018. Once again, there is no evidence to support that the unauthorized third party has the ability to decrypt these payment card numbers.
The hotel company announced it is putting in place a mechanism to enable its designated call center representatives to refer guests to the appropriate resources to enable a look-up of individual passport numbers to see if they were included in this set of unencrypted passport numbers. Marriott said it will update its website when the capability is in place.
Guests who have questions related to their payment cards should visit https://info.starwoodhotels.com for more information.
