Marriott breach included 5 million unencrypted passport numbers

Marriott International Hospitality company logo seen

Hackers stole more than 300 million records from Marriott in 2014. Igor Golovniov SOPA Images LightRocket via Getty Images

All of the compromised information came from a guest database belonging to Marriott's Starwood subsidiary.

Marriott discovered unauthorized access on a Starwood guest reservation database on November 19.

When Marriott announced a huge data breach in November, the company estimated that about 500 million people were affected by the incident. More than 8 million encrypted payment cards were involved in the hack. On Friday the company said it has identified approximately 383 million records that may have been compromised, but noted that the number of guests impacted is likely less than 383 million. "The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database", the company said.

After consulting internal and external investigators, the world's largest lodging company now believes that no more than 383 million customers - and probably fewer - had their data exposed to unauthorized parties, Marriott said Friday in a statement. Perhaps most troubling, some 5.25 million of those stolen passport numbers were not encrypted.

Bolsonaro confirms eventual embassy move to Jerusalem
In Thursday's TV interview Bolsonaro praised Israeli Prime Minister Benjamin Netanyahu and his Hungarian colleague Viktor Orban. Bolsonaro reiterated his decision to move Brazil's embassy in Israel from Tel Aviv to Jerusalem, but did not offer a timeline.


Furthermore, Marriot says that even if the hackers had gained access to the encryption key, only 354,000 payment cards were still valid as of September 2018, meaning most of the credit card details would have been useless. Of those, 354k of the cards were still unexpired by September 2018. They go on to say that there is no evidence that the third-parties had access to the key to decrypt these payment cards.

Finally, Marriott now believes around 8.6 million encrypted payment cards were impacted by the data breach.

The hotel company is establishing a system that will enable designated call center representatives to refer guests to appropriate resources through which individual passport numbers can be looked up to determine whether they were among the unencrypted passport numbers. The US call center number is 1-877-273-9481. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests. This occurred before Marriott and Starwood merged, and Marriott officials said the company has now taken the Starwood database offline and all reservations now flow through the Marriott system. The frequently asked questions on https://info.starwoodhotels.com have been updated and may be further supplemented from time to time.

Latest News