Marriott Hotels admitted today that as many as  5.25 million unencrypted passport numbers were included a huge hack of the company’s Starwood chain database of customers discovered last fall.
In a news release this morning the company didn’t explain why this data wasn’t encrypted, but approximately 20.3 million passport numbers were encrypted.
“There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” the statement added.
The statement also updated the number of records stolen. Initially it thought data on about 500 million guests who made a reservation at a Starwood property on or before September 10, 2018 was compromised. Now it says approximately 383 million records is the upper limit for the total number of guest records that were involved, but that includes multiple records for the same guest.
However, it is still unable to say exactly how many individuals might have been involved “because of the nature of the data in the database.”
The statement also said approximately 8.6 million encrypted payment cards were involved in the breach over four years. Of those, it adds, the vast majority had expired by September, 2018, when the breach was discovered Approximately 354,000 cards were unexpired as of September 2018. There is no evidence the hacker got hold of either of the components needed to decrypt the encrypted payment card numbers, Marriott adds.
However, it also said that while the payment card field in the Starwood database was encrypted the investigation is also looking into whether payment card data was inadvertently entered into other fields and was therefore not encrypted. “Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests.”
Marriott bought the Starwood chain in September, 2016. The Starwood brand includes W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Marriott discovered something wrong on Sept. 8, 2018 when an internal security tool detected an attempt to access the Starwood guest reservation database. An investigation revealed it had been breached four years earlier.
The Starwood reservation system was phased out at the end of December, the Marriott statement said, as part of a post-merger IT integration.