It wasn’t 500 million guests, says Marriott following massive security breach

It wasn’t 500 million guests, says Marriott following massive security breach

BETHESDA, MD — There weren’t as many guests affected by Marriott’s database security breach last November, according to a new update by the hotel company. But the estimated total is still in the hundreds of millions.

First reported to have affected as many as 500 million guests who made a reservation at a Starwood property on or before Sept. 10, 2018, Marriott now believes that the number is closer to 383 million.

Marriott adds that this does not mean that personal information for 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest.

Marriott also believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed includes approximately 20.3 million encrypted passport numbers. There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.

The company is putting in place a mechanism to enable its designated call centre representatives to allow guests to look up individual passport numbers to see if theirs was included in this set of unencrypted passport numbers. Marriott will update its designated website for this incident ( when it’s in place.

As for payment card information, the company now believes that approximately 8.6 million encrypted payment cards were involved in the breach. Of that number, approximately 354,000 payment cards were unexpired as of September 2018. There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.

Although the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. The company believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that may be unencrypted payment card numbers.

“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” said Arne Sorenson, Marriott’s President and Chief Executive Officer.  “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”

The company has completed the phase out of the operation of the Starwood reservations database, effective the end of 2018. With the completion of the reservation systems conversion undertaken as part of the company’s post-merger integration work, all reservations are now running through the Marriott system.

Guests who have questions related to their payment cards should visit for more information.

Travel Week Logo

Get travel news right to your inbox!