Advertisement

Marriott says 25 million passport numbers, some unencrypted, involved in massive breach

The breach is the one of the largest ever reported and is under investigation by at least five U.S. states as well as European regulators.
Marriott breach
The front of the Marriott Hotel in Philadelphia. Marriott has revised the amount of people impacted by their data breach. (Getty)

Marriott International said Friday that 383 million customer records were stolen in a data breach last month, down from the hotel chain’s original estimate of 500 million.

Roughly 25.5 million passport numbers also were compromised in the data breach affecting Starwood Hotels reservation system, the company said in a statement. Hackers spent roughly four years inside Starwood’s networks, the company announced Nov. 30.

The breach is the one of the largest ever reported and is under investigation by at least five U.S. states as well as European regulators.

Some 5.25 million of the 25.5 million passports numbers were stored in plain text, Marriott said Friday, providing hackers with a valuable means of stealing individuals’ identities. The hotel chain previously said it would compensate customers for passport replacements if they can prove they had been victims of fraud.

Advertisement

The company also said it believes that approximately 8.6 million encrypted payment cards were involved in the attack.

The roughly 383 million customer files is the “upper limit” of the total number of records involved in the breach, Marriott said. The company “has concluded with a fair degree of certainty that information for far fewer than 383 million” people was involved, adding there are multiple records for the same guests in that database.

“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott,” Arne Sorenson, Marriott’s president and chief executive, said in the statement.

This data breach began in 2014, roughly one year before Marriott International offered to purchase the Starwood hotel chain. Starwood properties include Westin, Sheraton, St. Regis, Aloft and other brands located worldwide.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts