5.25 Million Unencrypted Passport Numbers and 354,000 Active Payment Cards Accessed in Marriott Breach

In November 2018 we covered the story of the Marriott Hotel group data breach, in which information from 500 million guests had been exposed. It was determined that hackers access the information in its Starwood database and that the database was first compromised in 2014. Personal information such as addresses, passport numbers, and credit card numbers and more was compromised.

Marriott has now released an update on the incident, stating that the number of guest information compromised is lower than first thought, at around 383 million, down from 500 million. This may seem like good news, but Marriott also added that 5.25 million unencrypted passport numbers, and 20.3 million encrypted passport numbers, were also accessed.

In the update, Marriott states:

“Working closely with its internal and external forensics and analytics investigation team, Marriott determined that the total number of guest records involved in this incident is less than the initial disclosure”

and

“Also, the number of payment cards and passport numbers involved is a relatively small percentage of the overall total records involved.”

As well as the passwords, Marriott has also revealed that 8.6 million encrypted payment cards were accessed, most of these cards have since expired, but 354,000 remain unexpired. The hotel group has said that there is no evidence that the attackers have a decryption key in order to decrypt this information, however, they are continuing to investigate the issue.

Although a reduction, the figure of 383 million is still staggering, however, Marriott had this to say on the scale of the breach:

“This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest,”

Marriott has also announced that they completed their plans to phase-out the Starwood reservation system by the end of December 2018.