Marriott Revises Breach Scope to 383M Records

Marriott data breach

The hotel giant said after de-duping, the breach appears to be smaller than it thought.

Marriott has revised downward its estimate on the number of guests whose passport numbers and payment card data were impacted in its recent data breach.

After the hospitality giant confirmed in November that there had been unauthorized access to its Starwood guest reservations database from 2014 up to September 2018, it said that up to 500 million guests were potentially impacted. However, after de-duping the information, Marriott said that 383 million records – not guests – were involved in the incident, with multiple records associated to the same individual in many cases.

Breaking the information down further, 5.25 million unencrypted passport numbers were included in the breach, along with 20.3 million encrypted passport numbers.

“Compromise of those passports is historic,” said Tom Kellermann, chief cybersecurity officer at Carbon Black, via email. “[Millions of] individuals are essentially exposed to cybercrime and economic espionage. The lines between the physical world and cyberspace are blurring as we see signals intelligence-gathering and human intelligence-gathering merging. The Chinese have taken a page from the Russian cyber playbook. The Chinese can now track individuals as they travel and leverage physical and cyber assets to spy on them. This breach is the tipping point that the new Congress may use to mandate federal data breach reporting.”

Also, about 8.6 million encrypted payment cards were involved, with 354,000 payment cards that the hotel chain said were unexpired as of September 2018. Marriott also said that it believes that there may be fewer than 2,000 15-digit and 16-digit numbers that guests may have entered into other fields in the input form that might be unencrypted.

“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” said Arne Sorenson, Marriott’s president and CEO, in a website statement. “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”

The company also said that it has taken its Starwood reservation system offline and migrated all reservations to a separate in-house Marriott system.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.