Marriott Reduces Estimates of Those Impacted by Starwood Hack
Marriott is scaling back its estimate of the total number of guest records involved in a recently revealed Starwood reservations database breach.
On November 30, Marriott announced that as many as 500 million records in its Starwood Hotels reservation system could have been compromised in an attack that may have begun as much as four years ago.
MORE Hotel & Resort
Escape the Cold to These Stunning Caribbean Resorts
Party Like It’s 2019 at Melody Maker Cancun
Stay & Play in Williamsburg, Brooklyn
The reservation system hack, dubbed one of the largest in history, exposed the personal data of millions of customers including payment card numbers, passport details, phone numbers, and email addresses.
After working with internal and external forensics and analytics investigators, Marriott said in a statement released today that the total number of guest records involved is less than was initially disclosed.
In addition, the hotel company said the number of payment cards and passport numbers exposed as part of the hack was “a relatively small percentage of the overall total records involved.”
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” Arne Sorenson, Marriott’s president and CEO, said in the statement. “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
When Marriott initially issued its November 30 press release about the incident the company had not yet completed the analytics work to identify duplicative information. Marriott now says it has identified approximately 383 million records as the “upper limit for the total number of guest records that were involved.”
“This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest,” according to the new statement. “The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.”
Marriott now believes that about 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers.
The hotel giant said there’s no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.
In addition, the company now believes that about 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018.
“There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers,” according to Marriott.
While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to determine whether payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott said it believes that there may be a small number, (less than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers.
The hotel company is establishing a system that will enable designated call center representatives to refer guests to appropriate resources through which individual passport numbers can be looked up to determine whether they were included in the set of unencrypted passport numbers.
Marriott is also working on updating a designated website it has created for those with questions about the incident (https://info.starwoodhotels.com). The website lists phone numbers to reach the company’s dedicated call center and includes information about the process to follow if guests believe they experienced fraud as a result of their passport numbers being involved in this incident.
The company also previously offered to replace the passports of those who believe they have been impacted.
As of the end of 2018, the company has phased out the Starwood reservations database.