Hotel giant Marriott has given an update to the data breach that saw the details of millions of customers of its Starwood subsidiary exposed, confirming that 5.25 million unencrypted passport numbers were involved in the Marriott hack.
The company also confirmed that a further 20.3 million encrypted passport numbers were included in the information access, although the key to unencrypt it was not obtained.
“There is no evidence that the unauthorised third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” said the company in a release.
Such data could be used to perform identity theft, making it one of the most sensitive types of data that can be obtained in such breaches.
Marriott is setting up a system to allow those who may be affected to find out if they are involved, which will be available through its Starwood website once live. The site will also include information on what to do if these guests are a victim of identity theft as a result of the breach.
Marriott hack update: Fewer hit that initially thought
The company also confirmed a more exact number of people affected by the Marriott hack was lower than had previously been reported.
While 500 million was the number initially estimated by the company, Marriott has lowered this to 383 million. Significantly, this number is for individual entries, not guests, meaning the number of people involved is likely lower.
“This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest,” said the company.
“The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.”
The company also confirmed that 8.6 million encrypted payment cards were involved in the breach, 354,000 of which had not passed their expiry data as of September 2018. However, the encryption key was not obtained for this data.
Marriott phases out affected database
The company has also announced that is has now completely phased out the Starwood reservations database involved in the breach as of the end of 2018.
This furthers efforts the company is making to act transparently in response to the breach and minimise negative customer percentions.
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” said Arne Sorenson, Marriott President and Chief Executive Officer.
“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”