Marriott International has revised downward the number of guests impacted by the Starwood reservations database hack announced by the company Nov. 30, finding fewer guest records were involved in the incident than the 500 million initially estimated.
The megachain identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the years-long cyber attack. However, this number may not represent unique guests, as Marriott’s research also uncovered multiple records of the same guest in many incidents, concluding that information for far fewer than 383 million unique guests was involved in the breach.
Narrowing the number of impacted guests further is not possible at this time, Marriott said, due to the nature of the data in its database.
Marriott worked with its internal and external forensics and analytics investigation teams and determined the number of payment cards and passport numbers accessed by hackers constituted a small percentage of the overall records involved in the breach. The company also clarified that when it initially revealed the breach it also had not completed analytics work to identify “duplicative information.”
The breach allowed hackers unauthorized access to the Starwood Hotels & Resorts Worldwide network starting in 2014; Marriott acquired Starwood in 2016 for $13.6 billion.
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” Arne Sorenson, Marriott’s president and CEO, said in a statement. “As we near the end of the cyber-forensics and data-analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
One of the major sticking points to come out of Marriott’s data breach was an insistence from lawmakers that the company reimburse impacted guests for replacement passports in the event that their information was stolen. Following an investigation, Marriott now estimates approximately 5.25 million unencrypted passport numbers were included in the information accessed by hackers, as well as 20.3 million encrypted passport numbers.
In response, Marriott has enabled its designated call center representatives to refer guests to the appropriate resources to enable a look up of individual passport numbers to see if they were included in this set of unencrypted passport numbers.
Data breach investigations are often lengthy, as the affected organizations attempt to unravel all that took place. The additional information coming out now about the Marriott hack is just the latest example of how these tend to unfold, said Cath Goulding, head of cyber security at Nominet. Nominet is a British tech security firm that has run critical infrastructures for 20 years.
“It's troubling that 25 million passport numbers were compromised in the incident, as cybercriminals can use that information to potentially open fraudulent new accounts in your name, access your current accounts, and steal your identity by replicating your passport,” Goulding said. “It's important for organizations around the globe to ensure their threat monitoring and security systems can identify cyber threats when they first interact with critical systems so breaches can be stopped before any confidential information is accessed. That includes monitoring for threats in DNS traffic, as DNS has become a path for cyberattacks. But just as important is having real-time intelligence about the security posture of your systems that can be leveraged in forensic investigations to quickly uncover what happened, when and how.”
Marriott will update its designated website for this incident when it has this capability in place. The website lists telephone numbers to reach the company’s dedicated call center and includes information about the process to be followed if guests believe that they have experienced fraud as a result of their passport numbers being involved in this incident.
Additionally, Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018. There is no evidence the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.
While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott indicated there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if so, the process it will put in place to assist guests. Further updates will be made to the dedicated website.