Marriott lowered its estimate of how many guests were affected by a breach of its Starwood reservation system but disclosed millions of passport numbers were stolen.
The company initially estimated in November that hackers may have gained unauthorized access to the personal information of up to 500 million people who made a reservation at one of the Starwood hotel chains.
In an update Friday, Marriott said it “identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident” and concluded fewer than that number was actually compromised “although the company is not able to quantify that lower number because of the nature of the data in the database.”
The update also provided details on specific data that was exposed by the hackers, stating Marriott now believes it included approximately 5.25 million unencrypted passport numbers and about 20.3 million encrypted passport numbers.
“There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” Marriott said.
According to TechCrunch, passport numbers can be used for identity theft and to commit fraud and are “the sort of data that remains highly valuable for spy agencies that can use the information to track down where government officials, diplomats, and adversaries have stayed — giving insight into what would ordinarily be clandestine activities.”
Marriott also disclosed 8.6 million unique payment card numbers were accessed, but only 354,000 cards were active and unexpired at the time of the breach in September.
The Starwood chains, which Marriott acquired in 2016, include St. Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points, and W Hotels. According to Marriott, the hackers had gained unauthorized access to the Starwood reservation system since 2014.
The states of New York, Maryland, and Pennsylvania have opened investigations into the breach, which was the largest data security lapse of 2018.