Marriott believes data breach affected less than the 500 million guests
Staff Writer |
Marriott provided an update on the number of guests whose passport numbers and payment card numbers were involved in the Starwood reservations database security incident announced by the company on November 30, 2018.
Article continues below
Marriott is updating its press release of November 30, 2018, which announced that the company determined on November 19, 2018 that there was unauthorized access to a Starwood guest reservations database.
In that release, the company said that it believed the incident involved information about up to approximately 500 million guests who made a reservation at a Starwood property on or before September 10, 2018, although at that point the company had not completed the analytics work to identify duplicative information.
Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated. Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident.
This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest.
The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.
Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party.
The information accessed also includes approximately 20.3 million encrypted passport numbers. There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.
Marriott is putting in place a mechanism to enable its designated call center representatives to refer guests to the appropriate resources to enable a look up of individual passport numbers to see if they were included in this set of unencrypted passport numbers. Marriott will update its designated website for this incident (https://info.starwoodhotels.com) when it has this capability in place. ■