Ongoing work by Marriott’s internal and external forensics and analytics investigations team has shown that the total number of guest records involved in the data breach that came to light last year is less than what was initially disclosed, the hotel giant said.
Providing updates of the incident in a statement, Marriott added that the number of payment cards and passport numbers exposed is a “relatively small percentage of the overall total records involved”.
Marriott is updating its press release of November 30, 2018, which stated that information of approximately 500 million guests who made a reservation at a Starwood property on or before September 10, 2018 were believed to have been compromised in a data breach.
The company is clarifying that at the point of releasing the announcement, the company had not completed the analytics work to identify duplicative information.
Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident. It concluded with a “fair degree of certainty” that the information of fewer than 383 million unique guests were involved, as “in many instances, there appear to be multiple records for the same guest”. The company however was not able to quantify that lower number “because of the nature of the data in the database”.
As for passport information, Marriott now believes that under 5.3 million unencrypted passport numbers were included in the information accessed by the unauthorised third party.
The information accessed also includes approximately 20.3 million encrypted passport numbers. There is no evidence that the unauthorised third party accessed the master encryption key needed to decrypt the encrypted passport numbers, Marriott said.
Marriott is putting in place a mechanism to enable its designated call center representatives to refer guests to the appropriate resources to enable a look up of individual passport numbers to see if they were included in this set of unencrypted passport numbers.
A website has been set up, listing phone numbers to reach the company’s dedicated call centre and including information about the process to be followed if guests believe that they have experienced fraud as a result of their passport numbers being involved in this incident.
Meanwhile, Marriott believes that approximately 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018. Again, Marriott highlighted that there is no evidence that the unauthorised third party accessed either of the components needed to decrypt the encrypted payment card numbers.
While the payment card field was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted.
Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyse these numbers to better understand if they are payment card numbers.
The company has completed the phase out of the operation of the Starwood reservations database, effective the end of 2018. With the completion of the reservation systems conversion undertaken as part of the company’s post-merger integration work, all reservations are now running through the Marriott system.