Security & Fraud

Marriott Breach Exposes 5.25M Passport Numbers

5M Unencrypted Passport Numbers in Hotel Breach

Following reports of its data breach last year, Marriott said on Friday (Jan. 4) that the total number of guest records involved in a Starwood database security incident was less than initially disclosed. And, while the hotel company said that the number of passport numbers and payment cards impacted is “a relatively small percentage of the overall total records involved," it did acknowledge that 5.25 million unencrypted passport numbers were "accessed by an unauthorized third party."

However, the company said, “there is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers." At the same time, Marriott said that 20.3 million encrypted passport numbers in addition to the 5.25 million unencrypted passport numbers were accessed. In addition, the company thinks that roughly 8.6 million encrypted payment cards were involved in the incident, but said there wasn't evidence that the components needed to decrypt the card numbers were accessed.

In the press release, Marriott also said the “upper limit” for guest records impacted in the breach was 383 million. That figure was lower than the company's previous estimate that as many as 500 million guests were possibly impacted by the incident. The company noted, however, that the 383 million figure might not represent all unique guests, as more than one record might exist for a customer.

Marriott President and Chief Executive Officer Arne Sorenson said of the update, "We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened. As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers' concerns and meet the standard of excellence our customers deserve and expect from Marriott."

According to reports in November, the firm said that an “internal security tool” raised an alert in September that such access to customer information had been attempted. "We deeply regret this incident happened," Sorenson said at the time. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.