Marriott says less than 383 million guests impacted by breach, not 500 million

Marriott issues new hack numbers, downgrading original 500 million estimate.
Written by Catalin Cimpanu, Contributor

International hotel chain Marriott has released an update today to its November 2018 data breach incident, revealing that far fewer hotel guests have been affected than previously thought.

"Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident," the hotel chain said today.

"This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest," Marriott added.

Hackers stole unencrypted passport numbers

But while the initial breach count was lowered, the company also delivered some bad news, confirming that hackers got their hands on approximately 5.25 million unencrypted passport numbers.

The hackers also stole approximately 20.3 million encrypted passport numbers, but the hotel said that "there is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers."

Passport numbers are incredibly useful, as they can be used as a replacement for ID numbers in fraudulent financial transactions. Last month, Marriott offered to reimburse users for the costs of getting a new passport (which is over $100 in most states) if they could prove they were a victim of fraudulent operations where their passport number was involved.

8.6 million encrypted payment card details also stolen

Marriott representatives also provided an update in regards to payment card details stolen in the hack, which the hotel did not reveal at all in its original November 2018 announcement.

According to the hotel chain, hackers stole approximately 8.6 million encrypted payment cards, but just like in the case of the encrypted passport numbers, the hotel said there was no evidence that hackers got access to the encryption key needed to decrypt the payment card information.

Furthermore, Marriot says that even if the hackers had gained access to the encryption key, only 354,000 payment cards were still valid as of September 2018, meaning most of the credit card details would have been useless.

Last but not least, Marriott said it also discovered cases where users accidentally entered their payment card numbers into the wrong reservation fields, meaning these numbers weren't encrypted, and are still accessible to hackers in cleartext. Nonetheless, this number is very small, less than 2,000, according to the hotel chain.

With today's press release, Marriott also announced that it phased out the Starwood reservations system --the system that got hacked. That system had been used at Marriott subsidiary Starwood, and its smaller brands, including W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

The hotel chain says that all guests at its Starwood subsidiary brands are now managed through Marriott's central reservations system.

All in all, the company's announcement is good news for many of the hotel chain's guests. However, despite lowering the breach stats, the hotel chain still faces massive expenses, including from the numerous class-action lawsuits it now faces.

More data breach coverage:

Editorial standards