Massive Marriott breach included 5M+ unencrypted passport numbers

Andrew Cummings
January 6, 2019

Marriott is scaling back its estimate of the total number of guest records involved in a recently revealed Starwood reservations database breach. The Starwood reservations database includes the Starwood brands W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. The company also said that of the 8.6 million encrypted payment card numbers that were stolen, all but 354,000 of them were expired by September 2018.

That might be a problem, given passport numbers can be used for identity theft and to commit fraud, but is the sort of data that remains highly valuable for spy agencies that can use the information to track down where government officials, diplomats and adversaries have stayed - giving insight into what would ordinarily be clandestine activities.

"Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident". The company cautions that this doesn't necessarily mean 383 million individual guests were impacted, as there are apparently multiple records for the same guest.

Global hotel chain Marriott believes that more than five million unencrypted passport numbers were included among the data breach that came to light in November past year. There is no evidence that they were able to use the master encryption key required to gain access to that data. Of those, 354k of the cards were still unexpired by September 2018.

Marriott initially disclosed the hack - one of the biggest ever - on November 30, saying up to 500 million consumers of former Starwood properties were affected and that some combinations of names, addresses, emails or passport numbers were taken for some 327 million guests.

Finally, Marriott now believes around 8.6 million encrypted payment cards were impacted by the data breach. There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.

A small number of payment cards - "fewer than 2,000" - may have been stored separately and in an unencrypted format, according to Marriott. Marriott already created a dedicated website and call center about the data base hack.

Marriott said in its Friday update that it has "completed the phase out" of Starwood's reservation database and now runs guest bookings through its Marriott database, which was not affected by the breach.

Other reports by iNewsToday