Marriott admits 5.25 million unencrypted passport numbers were included in breach

Marriott Hotels admitted today that as many as  5.25 million unencrypted passport numbers were included a huge hack of the company’s Starwood chain database of customers discovered last fall.

In a news release this morning the company didn’t explain why this data wasn’t encrypted, but approximately 20.3 million passport numbers were encrypted.

“There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” the statement added.

The statement also updated the number of records stolen. Initially it thought data on about 500 million guests who made a reservation at a Starwood property on or before September 10, 2018 was compromised. Now it says approximately 383 million records is the upper limit for the total number of guest records that were involved, but that includes multiple records for the same guest.

However, it is still unable to say exactly how many individuals might have been involved “because of the nature of the data in the database.”

The statement also said approximately 8.6 million encrypted payment cards were involved in the breach over four years.  Of those, it adds, the vast majority had expired by September, 2018, when the breach was discovered Approximately 354,000 cards were unexpired as of September 2018.  There is no evidence the hacker got hold of either of the components needed to decrypt the encrypted payment card numbers, Marriott adds.

However, it also said that while the payment card field in the Starwood database was encrypted the investigation is also looking into whether payment card data was inadvertently entered into other fields and was therefore not encrypted. “Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests.”

Marriott bought the Starwood chain in September, 2016. The Starwood brand includes W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Marriott discovered something wrong on Sept. 8, 2018 when an internal security tool detected an attempt to access the Starwood guest reservation database. An investigation revealed it had been breached four years earlier.

The Starwood reservation system was phased out at the end of December, the Marriott statement said, as part of a post-merger IT integration.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now