Global hotel chain Marriott believes that more than five million unencrypted passport numbers were included among the data breach that came to light in November last year.
Further investigation into the incident, which hit the reservation system of the company’s Starwood portfolio in 2014, estimates that a total of 5.25 million unencrypted passport numbers were obtained, as well as 20.3 million encrypted passport numbers.
The company also estimates that around 8.6 million encrypted payment cards were obtained.
Marriott said it had no evidence to suggest that the perpetrators had the master encryption key to unlock encrypted data.
The database also stored information including dates of birth, names, addresses and phone numbers.
Overall, the company now thinks the number of guest records involved is fewer than the previous 500 million estimate, identifying approximately 383 million records as the “upper limit”.
This number could fall further when factoring in duplicate records, Marriott said.
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” said Arne Sorenson, Marriott president and chief executive.
“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
Starwood hotels, which include Trump Turnberry in Ayrshire, London’s Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly, have ceased using their own reservation database since the end of 2018 and have now integrated with the Marriott system.
Both the National Crime Agency (NCA) and Information Commissioner’s Office (ICO) said they would be making inquiries when the incident was first reported on November 30.