11:04 AM, Jan 4, 2019 — Marriott International (MAR) said millions of unique payment card numbers that were encrypted and passport numbers that were both encrypted and not were affected in the data breach reported in November, while it lowered the projection for the overall number of guests who might have been affected.
In an update Friday, the company said it identified 383 million guest records as the “upper limit” of those involved in the incident that saw access gained to a reservations database for its Starwood unit. In its initial disclosure, Marriott estimated 500 million guests could be involved.
“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott,” said Arne Sorenson, Marriott’s chief executive.
Last month, Secretary of State Mike Pompeo told Fox News that China was behind the hacking, a claim that was denied by the Asian country’s government. Marriott made no mention of responsibility in its statement Friday.
In the update, Marriott said there weren’t necessarily 383 million unique guests involved in the breach that related to reservations at Starwood properties on or before Sept. 10, as “there appear to be multiple records for the same guest.”
But the company said approximately 5.25 million unencrypted passport numbers were included in the information that was accessed in the breach, as well as 20.3 million encrypted numbers.
“There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt” the numbers, Marriott said. It’s working on enabling call center representatives to refer guests to resources that will allow them to look up passport numbers to see if they were included in the unencrypted set.
The hotel operator also said about 8.6 million encrypted payment cards were involved, and of that number, some 354,000 weren’t expired as of September last year. But Marriott again said there’s no evidence the hacker got access to the components needed to decrypt the numbers.
“While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted,” the company said. There might be fewer than 2,000 numbers in other fields in the data involved in the breach that could turn out to be payment card details, it said.
Companies: Marriott International
Price: 106.26 Price Change: +4.52 Percent Change: +4.44