Marriott hack update: attackers accessed fewer user records than first thought, but 5.3 million passport numbers were unencrypted

Back in late November, Marriott International went public with news that its Starwood Hotel reservation database had been hacked. At the time, the company suggested that up to 500 million customer records had been put at risk as a result, but now it has provided an update with a reduced estimate.

The company now says that it believes up to 383 million guests may have been affected; but the news is not all good. Marriott also reveals that over 5 million unencrypted passport numbers were stolen by hackers.

See also:

• Marriott's Starwood Hotel database hacked, putting 500 million customers at risk
• Popular VTech children's tablet can be easily controlled by hackers
• Following 'unusual activity' from China and Saudi Arabia, Twitter reveals user country codes may have leaked

While the reduced number of overall records is clearly what Marriott will want the focus to be upon, the fact that details of 5.3 million passports have been exposed places many customers at an increased risk of identity theft. The company maintains its belief that hackers were not able to steal the encryption keys needed to access a further 20 million passport numbers.

In an update to its November statement, the company says:

Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers. There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.

Marriott is putting in place a mechanism to enable its designated call center representatives to refer guests to the appropriate resources to enable a look up of individual passport numbers to see if they were included in this set of unencrypted passport numbers.

The revision downwards of the number of affected customers comes after the company completed analysis that enabled it to "identify duplicative information". However, its goes on to say that while the number is lower than first thought, it is "not able to quantify that lower number because of the nature of the data in the database".

Arne Sorenson, Marriott's president and CEO, said: "We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened. As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott".

Image credit: ANDREA DELBO / Shutterstock