Marriott says 5 million unencrypted passport numbers exposed in breach

In November, Marriott revealed that it had experienced a security breach on its Starwood reservation system, potentially leaving information about 500 million guests exposed. The company is back with an update on the matter, revealing in a new statement that around 5.25 million unencrypted passport numbers were left vulnerable to the hacker(s).

Marriott discovered unauthorized access on a Starwood guest reservation database on November 19. Soon after, the company had announced that about 500 million people who had stayed with a Starwood property on or before September 10, 2018.

In its most recent update, Marriott said that it now believes the possible number of impacted guests is lower than the original estimate, totaling about 383 million as the upper limit of guest records that could have been exposed by the breach. The company cautions that this doesn't necessarily mean 383 million individual guests were impacted, as there are apparently multiple records for the same guest. Exactly how many guests have been impacted still hasn't been determined.

In addition to updating its information about impacted guests, Marriott has stated that it believes around 5.25 million unencrypted passport numbers were accessed by the hacker(s). As well, the accessed data included more than 20 million encrypted passport numbers, but Marriott says there's no evidence that the hackers accessed the master encryption key to decrypt them.

Finally, Marriott currently believes around 8.6 million encrypted payment cards were impacted by the data breach. Of those, 354k of the cards were still unexpired by September 2018. Regardless, Marriott says there isn't any evidence that the hackers acquired the tools needed to decrypted the card info.

However, less than 2,000 payment cards may have had their 15-digit and 16-digit card numbers entered into other database fields, potentially leaving them unencrypted. An analysis of this potential problem is still underway. Marriott will soon enable customers to access "resources" to see whether their passport numbers were exposed.