Marriott Says 5 Million Passport Numbers Were Not Encrypted

As you may remember, Marriott International confirmed in November of 2018 that its hotel guest database of about 500 million customers was stolen in a data breach. The breach was related to reservations Marriott’s Starwood Properties.

Since then, some new information about the data breach has been revealed.

The New York Times reported today that Marriott International conceded that its Starwood hotel unit did not encrypt the passport numbers for roughly five million guests. The New York Times also reported:

On Friday the firm said that teams of forensic and data analysts had identified “approximately 383 million records as the upper limit” for the total number of guest reservations lost, though the company still says it has no idea who carried out the attack, and suggested the figure would decline over time as more duplicate records are identified.

The New York Times pointed to some of its previous reporting from December of 2018, when it reported “that the attack was part of a Chinese intelligence gathering effort that, reaching back to 2014, also hacked American health insurers and the Office of Personnel Management, which keeps security clearance files on millions of Americans.”

Gizmodo reported that Marriott International said that a small number of payment cards – “fewer than 2,000” – may have been stored separately and in an unencrypted format.