Marriott: Starwood Data Breach Likely Affected Fewer Than 383 Million Guests

The Westin New York Times Square, now part of Marriott International
The Westin New York Times Square, now part of Marriott International

Marriott International has identified approximately 383 million as the upper limit for the total number of guest records that were involved in its Starwood data breach, which was revealed Nov. 30, 2018. This does not, according to the company, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guests. Marriott announced today "with a fair degree of certainty" that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.
"We want to provide our customers and partners with updates based on our ongoing work to address this incident, as we try to understand as much as we possibly can about what happened," said Arne Sorenson, Marriott's president and CEO. "As we near the end of the cyber-forensics and data-analytics work, we will continue to work hard to address our customers' concerns and meet the standard of excellence our customers deserve and expect from Marriott."

Learn more about how to protect yours and your attendees' data here.
Working closely with its internal and external forensics-and-analytics investigation team, Marriott also determined that the number of payment cards and passport numbers involved is a relatively small percentage of the overall information involved. The company now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers. There is no evidence that the unauthorized third party accessed the master encryption key needed to decipher the passport numbers.
Marriott said designated call-center representatives soon will be able to help guests to look up individual passport numbers to see if they were included in the set of unencrypted passport numbers. Marriott will update its designated website for this incident when the capability is in place. 
As for payment-card information, Marriott said approximately 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018. There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the card numbers.
While the payment-card field in the data involved was encrypted, further analysis will determine if payment-card data was inadvertently entered into other fields and was therefore not encrypted. There could be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data that might be unencrypted payment-card numbers. The company is continuing to analyze these numbers to better understand if they are payment-card numbers and, if they are, a process will be put in place to assist guests. Further updates on this data also will be made to the incident's dedicated website, which also includes toll-free phone numbers to reach the company's dedicated call center.
In the meantime, Marriott has completed its planned phase-out of the Starwood reservations database, effective the end of 2018. All reservations are now running through the Marriott system.
Affected Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, the Luxury Collection, the Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels, as well as Starwood branded time-share properties (Sheraton Vacation Club, Westin Vacation Club, The Luxury Collection Residence Club, St. Regis Residence Club, and Vistana).