Marriott says hack was smaller but hit 5.25 mn passports

Daniel Fowler
January 6, 2019

When Marriott announced a huge data breach in November, the company estimated that about 500 million people were affected by the incident.

In addition to passport data, which some theorise could be used by malign actors to track worldwide travellers, approximately 345,000 unexpired payment cards were stored by the company.

Marriott discovered unauthorized access on a Starwood guest reservation database on November 19.

While the passport numbers would be considered sensitive personal information that should not be made public, the numbers and names of guests alone would not be enough for a criminal to create a forged passport.

Marriott said about 5.25 million passport numbers were taken in the incident, which U.S. officials believe was masterminded by the Chinese government.

"This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest", Marriott added.

Marriott International said on Friday (Jan 4) that fewer than 383 million customer records were stolen in a massive cyber attack disclosed last month, down from its initial estimate that up to 500 million guests were affected.

Ford recalls over 953K vehicles with faulty airbags
Owners can go to this website and key in their vehicle identification number to see if their cars and SUVs are being recalled. The expanded recall includes about 953,000 vehicles, including 782,384 in the United States and 149,652 in Canada.

The bad news is that the company confirmed that more than five million unencrypted passport numbers were stolen, on top of the more than 20 million encrypted passport numbers. Marriott will soon enable customers to access "resources" to see whether their passport numbers were exposed. Marriott said, "There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers". Regardless, Marriott says there isn't any evidence that the hackers acquired the tools needed to decrypted the card info.

The company says it is in the process of setting up a method for guests to look up whether a passport number has been compromised.

In a statement released Friday, the hotel chain said the "upper limit" for the number of potentially compromised guests is around 383 million, though it's likely that some of those records are duplicates.

As is often the case with data breaches, Marriott also revised the number of total records involved in the incident.

Marriott is scaling back its estimate of the total number of guest records involved in a recently revealed Starwood reservations database breach.

"With the completion of the reservation systems conversion undertaken as part of the company's post-merger integration work, all reservations are now running through the Marriott system".

Other reports by

Discuss This Article