Following a devastating cyber breach, hotel chain Marriott International has provided additional information on the scale of the attack.
Last week, Marriott revealed details of the attack on its reservation database, underlining the vast amounts of data – including payment cards and passport details – exposed.
The update, published on 4th January, shows that cybercriminals managed to access its Starwood guest database and take more than 5.25 million unencrypted passport numbers, as well as 20.3 million encrypted numbers.
Marriott has already signalled its intention to cover the cost of guests who require a new passport as a result of the breach.
Cause for Concern
Along with passport numbers, the chain revealed that criminals accessed more than 8.6 million encrypted payment card numbers. Although this is a significant cause for concern, Marriott acknowledged that most cards would be rendered useless were they to be decrypted.
Thousands of customers were advised to contact their bank following the breach.
Additionally, the overwhelming majority of these cards are believed to have been expired by September of last year when the breach was uncovered.
This, however, fails to address the fact that hackers gained access to Marriott’s systems in 2014, a time in which many of these cards may have been active.
In a statement, the hotel chain said: “There is no evidence that unauthorized third-party accessed either of the components needed to decrypt the encrypted payment card numbers.”
Read more: Top 5 Tech Trends for 2019
Following the company’s announcement in December, it was believed that a far higher number of record were stolen, Marriott confirmed.
Since its initial statement, the hotel chain has revised the estimated damage – which stood at 500 million hacked records – to around 383 million.
This represents 383 million records, Marriott insists, and not guests.
Some of these records include unencrypted names, mailing addresses, phone numbers and email addresses, as well as passport numbers, gender details, dates of birth and marketing/communication preferences chosen by guests.
“Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated,” the company confirmed.
“Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident,” the statement added. “This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest.”
Taking Back Control
The Starwood Reservations system used by the chain has been successfully phased out, according to Marriott.
“The company has completed the phase-out of the operation of the Starwood reservations database, effective the end of 2018,” Marriott said. “With the completion of the reservation systems conversation, undertaken as part of the company’s post-merger integration work, all reservations are now running through the Marriott system.”