Marriott International has revised downward the number of guests impacted by the Starwood reservations database hack announced by the company Nov. 30, finding fewer guest records were involved in the incident than the 500 million initially estimated.
The megachain identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the years-long cyber attack. However, this number may not represent unique guests, as Marriott’s research also uncovered multiple records of the same guest in many incidents, concluding that information for far fewer than 383 million unique guests was involved in the breach.
Narrowing the number of impacted guests further is not possible at this time, Marriott said, due to the nature of the data in its database.
Marriott worked with its internal and external forensics and analytics investigation teams and determined the number of payment cards and passport numbers accessed by hackers constituted a small percentage of the overall records involved in the breach. The company also clarified that when it initially revealed the breach it also had not completed analytics work to identify “duplicative information.”
The breach allowed hackers unauthorized access to the Starwood Hotels & Resorts Worldwide network starting in 2014; Marriott acquired Starwood in 2016 for $13.6 billion.
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” Arne Sorenson, Marriott’s president and CEO, said in a statement. “As we near the end of the cyber-forensics and data-analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
One of the major sticking points to come out of Marriott’s data breach was an insistence from lawmakers that the company reimburse impacted guests for replacement passports in the event that their information was stolen. Following an investigation, Marriott now estimates approximately 5.25 million unencrypted passport numbers were included in the information accessed by hackers, as well as 20.3 million encrypted passport numbers.
In response, Marriott has enabled its designated call center representatives to refer guests to the appropriate resources to enable a look up of individual passport numbers to see if they were included in this set of unencrypted passport numbers.
Marriott will update its designated website for this incident when it has this capability in place. The website lists telephone numbers to reach the company’s dedicated call center and includes information about the process to be followed if guests believe that they have experienced fraud as a result of their passport numbers being involved in this incident.
Additionally, Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018. There is no evidence the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.
While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott indicated there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if so, the process it will put in place to assist guests. Further updates will be made to the dedicated website.
Guests who have questions related to their payment cards should visit here for more information, including toll-free phone numbers to reach the dedicated call center.