IT TURNS OUT it was not quite half a billion guests who were affected by a data breach of Marriott International’s Starwood reservation system as announced in November. The company now says the number now is closer to 383 million, tops.
The new numbers are the result of Marriott’s forensic investigation of the leak. The 383 million figure is the upper limit on the amount of records involved.
“This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest,” the company said. “The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.”
Marriott has said previously the investigation into the breach began in September after one of its internal security tools detected an attempt to access the database in the U.S. It determined that since 2014 an unauthorized party had been copying and encrypting information from the database. While the company is still sifting out duplicate data, it currently believes the data came from about 500 million guests. Marriott acquired Starwood in September 2016. This past August, Marriott merged the companies’ guest loyalty programs.
Marriott disclosed the information stolen includes mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth and gender. Some payment card numbers and expiration dates also were exposed, but the company believes they are protected by its encryption.
China emerged as a suspect when private investigators found certain hacking tools, techniques and procedures evident in the data breach that were previously associated with Chinese hackers, according to Reuters.
Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the breach as well as about 20.3 million encrypted passport numbers. It does not have evidence the hackers accessed the master encryption key needed to decrypt the encrypted passport numbers.
The company also said about 8.6 million encrypted payment cards were involved in the data breach, and of those 354,000 were not yet expired as of September. In that case as well the company has no evidence that the data thieves can unencrypt the credit card data, but there is a caveat.
“While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted,” the company said. “Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers.”
Marriott also said it has completely phased out the Starwood reservation system as of the end of 2018.