Marriott International says that the total number of guests affected by a massive hacking of a reservations database that the company disclosed late last year is smaller than the 500 million it originally reported.
The Bethesda-based hotel company, the largest in the world, now believes that about 383 million guests were involved. Its investigation team used internal and external forensics to determine that about 383 million customer records were involved in the data breach, and in some cases that included multiple records for the same guests.
Marriott also now believes that about 5.25 million unencrypted passport numbers were included in those records. Approximately 20.3 million encrypted passport numbers were also compromised. But the company says there is no evidence that the unauthorized and unidentified third party accessed the master encryption key needed to decrypt the encrypted passport numbers.
Additionally, approximately 8.6 million encrypted payment cards were involved in the breach, but there is no evidence that the hackers have the mechanism to decrypt those numbers. Marriott says a small number—fewer than 2,000—unencrypted payment card numbers may have been accessed.
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” Marriott CEO Arne Sorenson said in a written statement. “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
The company determined on Nov. 19 that a third party had gotten unauthorized access to a Starwood guest reservations database. Marriott acquired Starwood in 2016. When it announced the breach on Nov. 30, it said it believed the incident involved about 500 million guests who made a reservation at a Starwood property on or before Sept. 10.
Marriott says data breach may hit 500 million
Marriott has now merged Starwood’s reservations system with its own.
Marriott has 30 brands with more than 6,700 properties. It has a presence in 129 countries and territories. Among the Starwood brands it acquired are W Hotels, St. Regis, Sheraton Hotels & Resorts, and Westin Hotels & Resorts.
U.S. Secretary of State Mike Pompeo suggested on Fox News last month that China is a suspect in the Marriott hacking. China has been accused of attacking other major companies to get information about their customers and executives. The FBI is investigating the matter.
Marriott has not commented on China’s possible involvement.
“Our primary objectives in this investigation are figuring out what occurred and how we can best help our guests,” a company spokesman said in an email. “We have no information about the cause of this incident and we have not speculated about the identity of the attacker. We alerted law enforcement and are supporting their investigation.”
Marriott has set up a dedicated website, Info.starwoodhotels.com, for customers to get the latest updates and sign up for free web monitoring services for one year.