As you may remember, Marriott International confirmed in November of 2018 that its hotel guest database of about 500 million customers was stolen in a data breach. The breach was related to reservations Marriott’s Starwood Properties.

Since then, some new information about the data breach has been revealed.

The New York Times reported today that Marriott International conceded that its Starwood hotel unit did not encrypt the passport numbers for roughly five million guests. The New York Times also reported:

On Friday the firm said that teams of forensic and data analysts had identified “approximately 383 million records as the upper limit” for the total number of guest reservations lost, though the company still says it has no idea who carried out the attack, and suggested the figure would decline over time as more duplicate records are identified.

The New York Times pointed to some of its previous reporting from December of 2018, when it reported “that the attack was part of a Chinese intelligence gathering effort that, reaching back to 2014, also hacked American health insurers and the Office of Personnel Management, which keeps security clearance files on millions of Americans.”

Gizmodo reported that Marriott International said that a small number of payment cards – “fewer than 2,000” – may have been stored separately and in an unencrypted format.

Marriott confirmed that its hotel guest database of about 500 million customers was stolen in a data breach.

Those who have concerns that their data may have been stolen may want to read the announcement that Marriott posted on their website. It includes a list of things Marriott is doing in response to the data breach.

Marriott says that on November 19, 2018, their investigation determined that there was unauthorized access to their guest reservation database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.

Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotel, and Starwood branded timeshare properties.

Marriott believes that the data breach contained information on up to approximately 500 million guests who made a reservation at a Starwood property.

For approximately 327 million of these guests, the information taken includes some combination of: name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

TechCrunch reported that Marriott said an unknown number of records contained encrypted credit card data, but has “not been able to rule out” that the components needed to decrypt the data wasn’t also taken.

This is a mess! I wouldn’t be surprised if people avoided staying at Starwood brands, or Marriott brands, in the future. Once a company has a data breach of customer’s important information, it becomes extremely difficult to regain the trust of people whose information had been stolen. I also find it troubling that it took four years between when the data breach started and when Marriott found out about it.