BETHESDA, Md. — An ongoing investigation into the unauthorized access of a Starwood guest-reservations database has revealed that the total number of guest records involved in the incident is less than originally estimated.
Through the efforts of internal and external investigation teams, Marriott International has also determined that the number of payment-card and passport numbers involved is “a relatively small percentage of the overall total records involved.”
When the data-security incident was announced late last year, the company originally estimated that the incident involved information about approximately 500 million guests. However, Marriott has now identified approximately 383 million records as the upper limit for the total number of guest records that were compromised, which includes instances of multiple records for the same guest.
The company also believes that approximately 5.25 million unencrypted passport numbers were included in the accessed information, in addition to approximately 20.3 million encrypted passport numbers. There is no evidence that the master-encryption key associated with this information was accessed.
Marriott is currently establishing a process that will allow guests to determine if they were included in this set of unencrypted passport numbers, which will be facilitated through the company’s dedicated call centre.
The company has also indicated approximately 8.6 million encrypted payment cards were involved in the incident, including approximately 354,000 that were unexpired as of September 2018. While the payment-card field in the data involved was encrypted — and there’s no evidence that either of the components needed to decrypt this information were compromised — Marriott is currently investigating whether payment-card data was inadvertently entered into other fields and therefore unencrypted.
Marriott has phased out the operation of the Starwood reservations database as part of the company’s post-merger integration work.