Plus an additional 20 m passport number and 8.6 m card details, although encrypted
Hotel Megachain Marriott International has gone into the cyber raid on its reservation database in more detail, including the number of payment cards and passport details that hackers siphon off. Marriott now reports in an update today to its disclosure on 30 November that the (allegedly Chinese) misbelievers who broke into its Starwood guest database reported a total of 5.25 million unencrypted passport numbers and 20.3 million encrypted numbers.
Although the passport numbers are considered sensitive personal information that should not be made public, the numbers and names of guests alone would not be sufficient to create a forged passport for a criminal.
Marriott will still cover the costs for anyone who has had to obtain a new passport due to the data theft. In addition to the passport numbers, Marriott says that 8.6 million encrypted payment card numbers have been repaid by criminals. While there would be a possibility of fraud if these numbers were to be decrypted, most of them would be useless now that, according to Marriott, all but 354,000 of the lifted numbers expired by September 2018, when the heist was found.
On the other hand, the hackers were in Marriott systems from 2014 until then, so many of these cards were probably active during the infiltration of the database, we expect. “There is no evidence that any of the components required to decrypt the encrypted payment card numbers were accessed by an unauthorized third party, ” Marriott said in his statement.
If Marriott has some good news, the total number of stolen records is a little lower than initially feared. The resort chain revised its original estimate of 500 million hacked records to 383 million, which was slightly less catastrophic. This is 383 million bookings, not 383 million unique people: some people stayed more than once in the hotels during the mega-hack.
These stolen records may include: unencrypted names, mailing addresses, telephone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, birth dates, genders, arrival and departure information, booking dates and preferences for communication. “Marriott now believes that the number of potential participants is less than the 500 million initially estimated by the company,” the chain stressed.
“Approximately 383 million records were identified by Marriott as the upper limit of the total number of guest records involved. However, this does not mean that information about 383 million unique guests was involved, as there seem to be several records for the same guest in many cases. “The company concluded with a fair degree of certainty that information was involved for less than 383 million unique guests, although the company cannot quantify that number due to the nature of the data in the database.” The security breach will mean the end of the Starwood reservation system at the center of the hack.
“The company has completed the phase of the Starwood reservation database with effect from the end of 2018,” said Marriott. “All reservations are now being made through the Marriott system with the completion of the conversion of the reservation systems as part of the post-merger integration work of the company. “Anyone who believes that their personal information has been involved in the data theft is advised to visit Marriott’s support site. The biz also offers a year’s identity theft surveillance service.