On Friday, Marriott provided an update on the number of guests whose passport numbers and payment card numbers were involved in the Starwood reservations database security incident that the company revealed on November 30, 2018.
In its announcement on November 30, Marriott reported that the security breach involved the information of approximately 500 million guests who made a reservation at a Starwood property on or before September 10, 2018. The company now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated. Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident, although the company noted that many instances of these 383 million records involved multiple records for the same guest. The company has concluded that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.
Passport Information Update
Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers. There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers, according to the company.
Marriott is putting in place a mechanism to enable its designated call center representatives to refer guests to the appropriate resources to enable a lookup of individual passport numbers to see if they were included in this set of unencrypted passport numbers. The company said it will update its designated website for this incident when it has this capability in place. The website lists phone numbers to reach the company’s dedicated call center and includes information about the process to be followed if guests believe that they have experienced fraud as a result of their passport numbers being involved in this incident.
Payment Card Information Update
Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018. There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers, the company said.
While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. The company said that there may be fewer than 2,000 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests.
Starwood Reservations Database Discontinued
The company has completed its phase-out of the operation of the Starwood reservations database, effective at the end of 2018. With the completion of the reservation systems conversion undertaken as part of the company’s post-merger integration work, all reservations are now running through the Marriott system.
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” said Arne Sorenson, Marriott’s president and CEO. “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
