In short: The data breach was not as bad as we originally thought, but it was still pretty bad, and fairly big.
Following the news of the massive, four-year data security breach on November 30, Marriott International provided new updates Friday that show that the breach, while far-reaching, was not as impactful as the hotel chain originally reported.
Marriott initially reported that it estimated some 500 million guests who made a reservation at a Starwood property from 2014 to September 10, 2018 may have been impacted by the data breach. On Friday the company said it has identified approximately 383 million records that may have been compromised, but noted that the number of guests impacted is likely less than 383 million.
In a statement, the company wrote: “This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest.”
The company said it believes that some 5.25 million unencrypted passport numbers were part of the breach, including 20.3 million encrypted passport numbers. Marriott said, “There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.”
Going forward, Marriott will enable a way for guests who contact its designated call center and website to find the right resources to look up their individual passport numbers and verify if they were included in this list of 20.3 million encrypted passport numbers.
The company reported that approximately 8.6 million encrypted payment cards were involved in the incident and that approximately 354,000 of those payment cards were unexpired as of September 2018. Marriott said there may be fewer than 2,000 of 15-digit and 16-digit numbers in other fields in the payment card data involved that might be unencrypted payment card numbers.
In the same statement released Friday, Marriott International CEO Arne Sorenson said, “We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened. As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
Marriott announced that it completed the closure of the Starwood reservations database that was breached. The discontinuation of this database wasn’t prompted by the security breach, but was part of Marriott’s planned release of a new reservations system, called ERS, for all of its 6,700 legacy Starwood and Marriott hotels worldwide.
As Marriott continues to investigate what happened with regard to the breach, there have been reports that China may have been a potential culprit. However, a company spokesperson reiterated, “Our primary objectives in this investigation are figuring out what occurred and how we can best help our guests. We have no information about the cause of this incident and we have not speculated about the identity of the attacker. We alerted law enforcement and are supporting their investigation.”
While data breaches at hotels are not at all uncommon, Marriott’s security incident was particularly large and took place over an extended period of time, making it one of the largest customer data security breaches in recent history.
The incident also led to concerns that the breach may anger frustrated loyalty members who have been dealing with the ongoing integration of Marriott’s three loyalty programs, Marriott Rewards, Starwood Preferred Guest, and Ritz-Carlton Rewards. However, as Skift reported previously, many loyalty members were not surprised and did not appear to be rattled.
What Does the Future of Lodging Look Like?
Get the latest news about hotels and short-term rentals delivered to your inbox once a week.
Photo credit: An alert on the SPG app for iOS telling members about a security breach. Marriott International recently reported one of the largest customer data security breaches in recent history, involving Starwood Hotels & Resorts, which the company bought in 2016 for $13.3 billion. Skift