Marriott has confirmed that the number of guests affected in the breach of Starwood’s guest reservation database is down from the originally estimated 500 million to “fewer than 383 million unique guests.” At this time, the hotel giant is unable to confirm an exact number of guests impacted.
According to the statement, approximately 5.25 million unique unencrypted passport numbers and 20.3 million encrypted passport numbers were stolen. Attackers also accessed 8.6 million unique payment card numbers, all of which were encrypted, but only 354,000 cards were active and unexpired at the time of the breach. In its earlier notice in November of last year, the hotel giant confirmed that there had been unauthorized access to the Starwood network since 2014.
Marriott said that it has completed the phase out of Starwood’s reservation database, and now runs guest bookings through its Marriott database, which wasn’t accessed in the breach.
A Breach of Immense Scale and Scope
According to an initial report from the BBC, for roughly 327 million guests, the attacker was able to access personally identifiable information including a combination of name, address, phone number, email address, passport number, account information, date of birth, and gender. In some cases, the compromised records also included encrypted credit card information. At this time, the company was still trying to determine whether the encryption keys had also been stolen.
In a statement published on Nov. 30, Marriott said that it received an alert from an internal security tool that an unauthorized user had attempted to access the Starwood database in the US on Sept. 8, 2018. An investigation into the incident confirmed that an attacker had copied and encrypted the information. Marriott was able to decrypt the information to confirm that the contents were from the Starwood guest reservation database.
Marriott reported the incident to both law enforcement and regulatory authorities, and the UK's data regulator is investigating. While Marriott’s headquarters are in the US, it works with and hosts European citizens, so it must ensure that it meets GDPR compliance. It’s anticipated that Marriott International will receive a substantial penalty because of the size and scale of the breach.
To read initial coverage of this story, with commentary from Veracode Co-Founder and CTO Chris Wysopal, click here.