The data breach that rocked Marriott late last year affected fewer guests than initially reported — less than 383 million instead of 500 million — but the stolen data included unencrypted passport numbers on 5.25 million people, the company said on Friday.
The breach, which targeted the Starwood reservations database, also exposed data on roughly 8.6 million encrypted payment cards, 354,000 of which were unexpired when the firm learned of the breach last September.
However, there may be a small amount of payment card data entered into other fields in the database, The chain is examining whether these 15- and 16-digit numbers, believed to total 2,000 or less, are unencrypted.
Marriott has phased out the Starwood database, effective as of the end of December, and all reservations are now going through the Marriott system.
The estimate of 383 million affected guests may be high because the data includes multiple records on the same individuals, the firm says. The company had not completed its analysis at the time of the initial report.
Meanwhile, Marriott is facing class-action litigation by plaintiffs — who allege, among other things, that the firm failed to inform customers of the breach in a timely way. It is also being probed by federal and state agencies.
The New York Times reported in December that the hack may have been the work of China’s Ministry of State Security.
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” states Arne Sorenson, Marriott’s president and chief executive officer.
Sorenson adds: “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns.”
Marriott determined last November 19 that the breach, exposing data on reservations made on or before September 10, 2018, had occurred.
The data on millions of guests included such details as name, email address, mailing address, phone number, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
The chain was alerted on September 8 that an attempt had been made to access the Starwood database in the U.S. Security experts determined that unauthorized access to the Starwood network had existed since 2014. In addition, the company discovered that an unauthorized party had copied and encrypted data from the database.
The affected brands include W Hotels, St. Regis Sheraton Hotels & Resorts, Four Points by Sheraton, Westin Hotels & Resorts, Element Hotels and Aloft Hotels.