Starwood hack exposed 5.25m unencrypted passport numbers

Hotel chain Marriott says around 5.25 million unencrypted passport numbers were accessed in a hack of the Starwood reservations system that was revealed at the end of last year.

The attack started about four years ago but was only detected in September 2018, before being made public at the start of December.

It was initially reported that up to half a billion guests of Starwood Hotels and its various brands may have been impacted.

Starwood’s owner Marriott now says that “fewer than 383 million unique guests” were involved.

It’s likely the final number will be less because there are duplicate guest records in the system. De-duplicating the database has apparently proven difficult, with Marriott saying only that it was due to “the nature of the data in the database”.

Marriott provided an update on encrypted and unencrypted information that had been accessed in the attack.

“Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorised third party,” it said in a statement.

“The information accessed also includes approximately 20.3 million encrypted passport numbers.

“There is no evidence that the unauthorised third party accessed the master encryption key needed to decrypt the encrypted passport numbers.”

Marriott also said it “now believes that approximately 8.6 million encrypted payment cards were involved in the incident.”  

“Of that number, approximately 354,000 payment cards were unexpired as of September 2018,” it said.

“There is no evidence that the unauthorised third party accessed either of the components needed to decrypt the encrypted payment card numbers.”

However, Marriott said it was in the process of checking whether payment card data was input into other fields of the reservation system, which may not have been encrypted.

“Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted,” it said.

“Marriott believes that there may be a small number (fewer than 2000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers.

“The company is continuing to analyse these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests.”

Marriott said that over the holiday period, it had “completed the phase out of the operation of the Starwood reservations database”.

Marriott bought Starwood in September 2016. It had still been running Starwood’s booking and reservations on a platform separate to its own.

“With the completion of the reservation systems conversion undertaken as part of the company’s post-merger integration work, all reservations are now running through the Marriott system,” it said.