Marriott data breach: Number affected is “less than initial disclosure”

Marriott International affirmed everyone this weekend, that the total number of guest records involved in the Starwood hacking incident is “less than the initial disclosure”.

On 30 November 2018, the hospitality giant exposed an Achilles heel when it admitted to a database security breach. It said that approximately 500 million online accounts were affected — with passport and payment card records compromised.

Last Friday though, Marriott released an update on the number of guests whose passport numbers and payment card numbers were involved in the Starwood reservations database security incident. Working with its forensics and analytics investigation team, it determined that the number of payment cards and passport numbers involved is a relatively small percentage of the overall total records involved.

“Near the end of the cyber forensics and data analytics work”

“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” said Arne Sorenson, Marriott’s president and CEO. “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”

Passport information update

According to Marriott, 383 million is the upper limit for the total number of records that were involved. This does not, however, mean that information of 383 million unique guests were compromised. As in many instances, according to the group — there are multiple records for the same guest.

When it comes to passport information, 5.25 million were unencrypted, in an approximate total of 20.3 million encrypted passport numbers. Although this is an enormous figure, Marriott said that “there is no evidence” the unauthorised third party has the key to access the files.

Payment card information update

Approximately 8.6 million encrypted payment cards also were involved, but once again, there is no evidence that the unauthorised party accessed the components needed to decrypt the card numbers, said the group.

To help those concerned, Marriott has assigned designated call centre representatives to refer guests to the appropriate resources. This will help them look up individual passport numbers to see if they were affected. The company’s dedicated website will also be updated for questions regarding the incident.