When Marriott announced a huge data breach in November, the company estimated that about 500 million people were affected by the incident. After more than a month of investigation and forensics work, the company has lowered that number to about 383 million people, but also said that several million unencrypted passport numbers were taken during the breach.
The breach involved an intrusion into the Starwood reservations database dating back to 2014, but was only discovered in 2018. The attackers had access to a wide range of customer data, including names, home addresses, email addresses, and phone numbers. In some cases, customers’ payment card information, birthdates, and passport numbers.
“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database,” the Marriott statement from November says.
On Friday, Marriott officials said that the investigation into the compromise has revealed that more than five million plaintext passport numbers were accessed during the intrusion. Replacing a passport is much more time consuming and involved than replacing a payment card compromised in a breach, and passport numbers are quite valuable as unique identifiers. Marriott officials said the company is in the process of setting up a resource to allow customers to check whether their passport number was part of the breach.
“Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers. There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” Marriott’s new statement says.
“Marriott has identified approximately 383 million records as the upper limit."
In its initial disclosure in November, Marriott said that although the payment card data stolen was encrypted, it was possible that the attackers had accessed the key material needed to decrypt them. However, in the updated disclosure, Marriott officials said there is “no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.” The company also said that of the 8.6 million encrypted payment card numbers that were stolen, all but 354,000 of them were expired by September 2018.
As is often the case with data breaches, Marriott also revised the number of total records involved in the incident. But unlike most breaches, the number dropped, from approximately 500 million to fewer than 400 million.
“Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident. This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest. The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database,” the company said.
The attackers behind the breach were able to get into the Starwood hotel chain reservation database in 2014. This occurred before Marriott and Starwood merged, and Marriott officials said the company has now taken the Starwood database offline and all reservations now flow through the Marriott system.