Marriott says hackers stole more than 5 million passport numbers

Marriott reduces size estimate of Starwood hack

Modal Trigger Getty Images

The vast number of people affected still places the Marriott data breach among the biggest hacks of personal data ever to affect one company.

Global hotel chain Marriott believes that more than five million unencrypted passport numbers were included among the data breach that came to light in November past year. Marriott will soon enable customers to access "resources" to see whether their passport numbers were exposed. Replacing a passport is much more time consuming and involved than replacing a payment card compromised in a breach, and passport numbers are quite valuable as unique identifiers.

The hotelier now estimates that up to 383 million records were pilfered in the incident, cutting the original figure after data forensics eliminated duplicates.

After consulting internal and external investigators, the world's largest lodging company now believes that no more than 383 million customers - and probably fewer - had their data exposed to unauthorized parties, Marriott said Friday in a statement.

US airports seeing rise in security screeners calling off work
CNN said they spoke to two senior agency officials and three TSA employee union officials for their story. The TSA said in a statement Friday that call outs that began over the holiday period have increased.

The company has completed the phase out of the operation of the Starwood reservations database, effective the end of 2018. Of that number, approximately 354,000 payment cards were unexpired as of September 2018. Now, Marriott says that the number of potentially involved guests is lower than the 500 million the company had originally estimated.

In its initial disclosure in November, Marriott said that although the payment card data stolen was encrypted, it was possible that the attackers had accessed the key material needed to decrypt them. Marriott said that 5.25 million unencrypted passport numbers were part of the information that was compromised and accessed in the hack. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points.

Hotel megachain Marriott International has gone into further detail on the cyber-raid on its reservation database, including the number of payment cards and passport details siphoned off by hackers. They go on to say that there is no evidence that the third-parties had access to the key to decrypt these payment cards.

The reason the breach appears to have been limited to Starwood is that its guest database ran separately from the rest of the Marriott network. This occurred before Marriott and Starwood merged, and Marriott officials said the company has now taken the Starwood database offline and all reservations now flow through the Marriott system. The biz is also offering to cover a year of identity-theft monitoring service.

Latest News