Hotel operator and franchisor Marriott International Inc. reported Friday that 8.6 million encrypted payment card records were compromised in the big data breach it disclosed Nov. 30. Of those, 354,000 cards were unexpired.
The card statistics are included in an update Bethesda, Md.-based Marriott issued about the breach of the Starwood reservation system that it inherited when it acquired Starwood Hotels & Resorts Worldwide Inc. in September 2016. Marriott originally said the breach, which began in 2014 and lasted until September 2018, compromised 500 million guest records such as names, email addresses and other information, but not until today did it provide numbers about the card aspect.
“Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident,” says the updated post on Marriott’s Web site. “Of that number, approximately 354,000 payment cards were unexpired as of the date the information was accessed. There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.”
Marriott indicated in November that it was possible hackers had obtained decryption keys that could unlock the card data. A new twist is that the thieves may have stolen unencrypted data on a “small number” of cards.
“While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted,” the updated notice says. “Marriott believes that there may be a small number (less than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers.”
Meanwhile, Marriott scaled back the total number of guests involved from the up to 500 million it originally said to 383 million as the “upper boundary” of guests who had some combination of name, address, phone number and other personal data compromised, including in some instances passport numbers. “This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest,” the notice says.
Hackers stole approximately 5.25 million unique unencrypted passport numbers and 20.3 million encrypted passport numbers, according to Marriott.
Marriott also reported that it completed the phase-out of the Starwood reservation system at the end of December. All reservations in its vast network that includes 5,700 properties worldwide and 30 hotel brands now go through the Marriott system.