Marriott Says Data Hack Smaller Than Assumed, Hit 5.25 Million Passports

Marriott International Hospitality company logo seen

Hackers stole more than 300 million records from Marriott in 2014. Igor Golovniov SOPA Images LightRocket via Getty Images

The vast number of people affected still places the Marriott data breach among the biggest hacks of personal data ever to affect one company.

Worldwide hotel chain Marriott has released an update today to its November 2018 data breach incident, revealing that far fewer hotel guests have been affected than previously thought.

On Friday, Marriott officials said that the investigation into the compromise has revealed that more than five million plaintext passport numbers were accessed during the intrusion.

The company says it is in the process of setting up a method for guests to look up whether a passport number has been compromised. The company cautions that this doesn't necessarily mean 383 million individual guests were impacted, as there are apparently multiple records for the same guest. On a "Fox and Friends" segment in December, Secretary of State Mike Pompeo said that China was behind Marriott's hack. It is still investigating how many stolen payment card numbers were not encrypted.

In its initial disclosure in November, Marriott said that although the payment card data stolen was encrypted, it was possible that the attackers had accessed the key material needed to decrypt them.

However the company also disclosed that unencrypted passport numbers of 5.25 million people were accessed by hackers, along with potentially 20.3 million encrypted passport numbers. In that release, the company said that it believed the incident involved information about up to approximately 500 million guests who made a reservation at a Starwood property* on or before September 10, 2018, although at that point the company had not completed the analytics work to identify duplicative information. There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers, according to Marriott.

Starwood hotels, which include Trump Turnberry in Ayrshire, London's Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly, have ceased using their own reservation database since the end of 2018 and have now integrated with the Marriott system.

Marriott now believes that 8.6 million encrypted payment cards were involved in the hack on its Starwood room reservation network.

"With the completion of the reservation systems conversion undertaken as part of the company's post-merger integration work, all reservations are now running through the Marriott system".

Marriott has offered to pay for new passports if affected guests can prove they were victims of fraud.

Latest News