Marriott Breach Exposes 5.25M Passport Numbers

5M Unencrypted Passport Numbers in Hotel Breach

Following reports of its data breach last year, Marriott said on Friday (Jan. 4) that the total number of guest records involved in a Starwood database security incident was less than initially disclosed. And, while the hotel company said that the number of passport numbers and payment cards impacted is “a relatively small percentage of the overall total records involved,” it did acknowledge that 5.25 million unencrypted passport numbers were “accessed by an unauthorized third party.”

However, the company said, “there is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.” At the same time, Marriott said that 20.3 million encrypted passport numbers in addition to the 5.25 million unencrypted passport numbers were accessed. In addition, the company thinks that roughly 8.6 million encrypted payment cards were involved in the incident, but said there wasn’t evidence that the components needed to decrypt the card numbers were accessed.

In the press release, Marriott also said the “upper limit” for guest records impacted in the breach was 383 million. That figure was lower than the company’s previous estimate that as many as 500 million guests were possibly impacted by the incident. The company noted, however, that the 383 million figure might not represent all unique guests, as more than one record might exist for a customer.

Marriott President and Chief Executive Officer Arne Sorenson said of the update, “We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened. As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”

According to reports in November, the firm said that an “internal security tool” raised an alert in September that such access to customer information had been attempted. “We deeply regret this incident happened,” Sorenson said at the time. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”