Late last year the Marriott Hotel announced that it had suffered a data breach, which affected approximately 500 million guests who made a hotel reservation using its Starwood reservation system. Details about the data breach can be found in our previous blog.
The Marriott has now advised that it believes as many as 383 million records were accessed in the data breach. While this number has been revised down from the initial assessment of 500 million records, the Marriott believes approximately 5.25 million unencrypted passport numbers, 20.3 million encrypted passport numbers and 8.6 million encrypted debit and credit card numbers were obtained by hackers. So far the Marriott believes the hackers have not gained access to the master encryption key needed to decrypt the encrypted passport numbers or payment card numbers.
It is not unusual for a company to revise the size of a data breach it has suffered after further investigations into the data breach have been completed. Nevertheless, 383 million records impacted by the breach is still a significant number, especially when some of those records contain unencrypted identity information. The Marriott has advised guests that it will put a process in place for guests to look up whether their passport number was one of the unencrypted passport numbers, which is worth checking once the process is up and running if you have received a notification from the Marriott about the breach.