Hotel megachain Marriott International has gone into further detail on the cyber-raid on its reservation database, including the number of payment cards and passport details siphoned off by hackers.
In an update today to its November 30 disclosure, Marriott now says the (allegedly Chinese) miscreants who broke into its Starwood guest database made off with a total of 5.25 million unencrypted passport numbers and 20.3 million encrypted numbers.
While the passport numbers would be considered sensitive personal information that should not be made public, the numbers and names of guests alone would not be enough for a criminal to create a forged passport. Still, Marriott will be covering the cost for anyone who has had to get a new passport as a result of the data theft.
In addition to the passport numbers, Marriott says the criminals made off with 8.6 million encrypted payment card numbers. While there would be the chance for fraud should those numbers be decrypted, most would be useless by now as, according to Marriott, all but 354,000 of the lifted numbers were expired by September 2018, which was when the heist was discovered. On the other hand, the hackers were in Marriott's systems from 2014 to that date, so many of those cards were likely active during the database infiltration, we reckon.
"There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers," Marriott said in its statement.
Book 'em, Danno
If there is some good news to be had for Marriott, it is that the total number of stolen records is a bit lower than first feared. The resort chain has revised its original estimate of 500 million hacked records to a slightly less-catastrophic 383 million. That's 383 million reservations, not 383 million unique people: some folks obviously stayed in the hotels more than once during the mega-hack.
Those stolen records potentially include: unencrypted names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences.
"Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated," the chain was keen to stress.
"Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident. This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest.
"The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database."
The security breach will mean the end of the road for the Starwood Reservations system at the center of the hack. "The company has completed the phase out of the operation of the Starwood reservations database, effective the end of 2018," Marriott said.
"With the completion of the reservation systems conversion undertaken as part of the company’s post-merger integration work, all reservations are now running through the Marriott system."
Anyone who believes their personal information to have been involved in the data theft is advised to visit Marriott's support site. The biz is also offering to cover a year of identity-theft monitoring service. ®