Marriott International revealed that over 5 million passport numbers stolen from its Starwood unit’s customer database were unencrypted. In a new statement, issued Friday, it also said that the number of guests involved is lower than initially thought.
Unencrypted Passport Numbers
Marriott said that approximately 5.25 million unencrypted passport numbers were amongst the data stolen during the cyber attack revealed at the end of November 2018. It said that a further 20.3 million encrypted passport numbers had been stolen but it had no evidence that the hackers had the master encryption need to decrypt those numbers.
The presence of passport numbers in the data is of particular concern. Chinese authorities are suspected of carrying out the attack (via New York Times). The Chinese government denies any involvement. Marriott has offered to pay for replacement passports for anyone who’s lost passport number is involved in fraud.
Marriott also said hackers took 8.6 million encrypted payment cards during the hack. 354,000 of them were unexpired as of September 2018, when the hackers were finally discovered. The statement explained that Marriot encrypted the payment card field. However, Marriott said it is “undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted.”
Still the Biggest Hack in History
Hackers accessed Starwood’s, now a part of Marriott, customer database from 2014 until September 10th, 2018. The company said that data from 383 million unique guests was stolen. This is lower than the 500 million it initially thought were involved. The number could fall further as more duplicated data is discovered. The incident remains the largest loss of data in history.
Arne Sorenson, Marriott’s President and Chief Executive Officer, said: “We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened. As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
Thanks for the update, Charlotte.
As a frequent traveller, I’ve stayed in practically every major hotel chain, and an uncountable number of local establishments. I’ve had my credit card data stolen on practically every continent at least once (okay, not Antartica).
It is disheartening that, as a consumer, I can do all I can to minimise my exposure, and yet establishments that I am compelled to use can compromise my security with impunity. This really has to stop, and will only do so when there is more secure technology (like Apple Pay, although that does not address the non-encrypted passport info) and punishment for non-compliance with best practices.
Crikey.