Hotel giant Marriott has given an update to the data breach that saw the details of millions of customers of its Starwood subsidiary exposed, confirming that 5.25 million unencrypted passport numbers were involved in the Marriott hack.

The company also confirmed that a further 20.3 million encrypted passport numbers were included in the information access, although the key to unencrypt it was not obtained.

Go deeper with GlobalData

Premium Insights

The gold standard of business intelligence.

Find out more

“There is no evidence that the unauthorised third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” said the company in a release.

Such data could be used to perform identity theft, making it one of the most sensitive types of data that can be obtained in such breaches.

Marriott is setting up a system to allow those who may be affected to find out if they are involved, which will be available through its Starwood website once live. The site will also include information on what to do if these guests are a victim of identity theft as a result of the breach.

Marriott hack update: Fewer hit that initially thought

The company also confirmed a more exact number of people affected by the Marriott hack was lower than had previously been reported.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

While 500 million was the number initially estimated by the company, Marriott has lowered this to 383 million. Significantly, this number is for individual entries, not guests, meaning the number of people involved is likely lower.

“This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest,” said the company.

“The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.”

The company also confirmed that 8.6 million encrypted payment cards were involved in the breach, 354,000 of which had not passed their expiry data as of September 2018. However, the encryption key was not obtained for this data.

Marriott phases out affected database

The company has also announced that is has now completely phased out the Starwood reservations database involved in the breach as of the end of 2018.

This furthers efforts the company is making to act transparently in response to the breach and minimise negative customer percentions.

“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” said Arne Sorenson, Marriott President and Chief Executive Officer.

“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”