Marriott International Inc. said the number of guests whose personal information was accessed in a data breach of the Starwood reservations system is less than the 500 million previously estimated, and the number of guests whose passport numbers and payment-card numbers were exposed is a "relatively small percentage" of the total records involved.
The hotelier said it believes the highest number of guest records accessed was 383 million, and about 5.3 million unencrypted passport numbers and 8.6 million encrypted payment-card numbers were involved. Marriott has determined with "a fair degree of certainty" that fewer than 383 million guest records were accessed, as there appear to be multiple records for the same guests.
Of the payment-card numbers, approximately 354,000 cards were unexpired as of September 2018, and Marriott had no evidence that the intruder was able to decrypt the numbers. Marriott added that roughly 20.3 million encrypted passport numbers could have been accessed, but it does not believe the unauthorized party accessed the master encryption key for these records.
In providing its update on the incident, Marriott said it had completed the phase-out of Starwood's reservations database at the end of 2018, and all guest reservations are now running through Marriott's system. Marriott acquired Starwood Hotels & Resorts Worldwide Inc. in 2016 in a deal valued at $13.56 billion, according to S&P Global Market Intelligence data.
In November 2018, Marriott said Starwood's guest-reservation database had been subject to unauthorized access since 2014, and up to 500 million guests could have had their personal information compromised. The New York Times reported in December 2018 that the breach was traced to Chinese hackers as part of a Chinese intelligence-gathering effort.
Marriott said it believes fewer than 2,000 of the unexpired, encrypted payment-card numbers accessed in the breach could have been entered into unencrypted data fields and that it is taking steps to determine if this is the case.