Marriott Unsure How Many Hundreds of Millions of Guests Got Screwed by Data Breach

By Dell Cameron on at

While downsizing the estimate of how many guests were impacted by the historic breach of its hotel reservation system, Marriott International on Friday announced that roughly 5.25 million unencrypted passport numbers are among the sensitive data illegally obtained by hackers unknown.

Saying its initial count of 500 million victims was too high, the company offered a new estimate of fewer than 383 million people based on the number of guest records in its database. Because the system occasionally generates multiple records for a single guest, what the company disclosed Friday is that it basically has no idea how many guests are affected at this time. Regardless, the breach of Marriott’s Starwood hotel unit seems poised to earn the title of the largest known breach of personal data, dwarfing Equifax’s 2017 security incident by more than a hundred million souls.

“The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database,” the company said.

In addition to passport data, which some theorise could be used by malign actors to track international travellers, approximately 345,000 unexpired payment cards were stored by the company. This data was encrypted, the company says, and no evidence has yet surfaced to suggest the decryption keys were stolen.

A small number of payment cards—“fewer than 2,000"—may have been stored separately and in an unencrypted format, according to Marriott. “The company is continuing to analyse these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests,” it said.

Marriott added that it completed the phase-out of the Starwood reservation system, the scene of the crime.

Speculation is rampant of a Chinese connection. Reuters first reported in December on suspicions that Chinese hackers, potentially in cahoots with Beijing, may have sought access to the database for espionage purposes and not financial gain. Private investigators examining the breach have uncovered “hacking tools, techniques and procedures” suggesting China’s involvement, the newswire said, citing three sources not authorised to discuss the matter.

Last month, charges were unsealed against two Chinese intelligence officers over alleged involvement in hacking campaigns targeting over 45 businesses, as well as government agencies, including the Department of Energy and NASA’s Jet Propulsion Laboratory.

Photo: Getty / Scott Olsen