Marriott disclosed on Friday that it had left exposed 5.25 million unencrypted passport records along with 20.3 million encrypted passport credentials in a breach of its Starwood reservations database first disclosed a month ago.
The background: The breach and unauthorized access to Starwood’s reservation network ran from 2014 through November, 2018. On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Two months later, Marriott said up to 500 million guests could be involved in the break-in.
The hotel giant has now revised downward to 383 million customer records it believes have been affected by the cyber theft. And, it suggested that figure could drop even lower as duplicate entries are identified. “The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database,” Marriott said in a posted statement.
There is some additional information on the theft of some nine million encrypted bank cards, including more than 350,000 still active as of last September. The company said there is no evidence that the hackers were able to decode payment card numbers. It conceded that it’s a bit less certain about the unencrypted bank cards stolen in the hack. Marriott said it is “undertaking additional analysis” to see if payment card data was "inadvertently entered into other fields and was therefore not encrypted.” It’s possible, Marriott said, that roughly 2,000 of 15- and 16-digit numbers “in other fields in the data involved“ could be unencrypted payment card numbers. Right now, Marriott doesn’t know nor does it have a concrete process in place to help those customers that may be affected.
Marriott's Starwood Breach: Passport Number Concerns
As for the passport numbers, Marriott waved off any suggestion that the hackers have been able to decrypt customers' credentials. “There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” Marriott said. What about the unencrypted passports? The hotel chain didn’t say. It has offered to pony up the fee to pay for a new passport for people whose information taken from the Starwood database has been involved in cyber fraud. That’s kind of a short step to nowhere for every other customer whose data had been pilfered but not yet used by hackers.
Left unanswered still is the whether Marriott has violated breach reporting requirements under General Data Protection Rules rules. Based on Marriott’s 2017 total revenue of $23 billion, the fine for failing to toe the line could cost it nearly $1 billion. Meanwhile, the New York Attorney General’s office has said it will inquire further, as did Attorneys General in Connecticut, Illinois, Massachusetts and Pennsylvania. So will the U.K.’s Information Commissioner’s Office. Class action lawsuits in Oregon and Maryland have already been filed against Marriott.
Marriott's Starwood Breach: Who Done It?
So far, no suspects in the hack have been identified. In December, The New York Times reported that the attack was tied to a massive Chinese intelligence gathering effort.
The Starwood reservations database has been phased out as of the end of 2018, Marriott said.