5.25 Million Unencrypted Passport Numbers Accessed in Starwood Breach

5.25 Million Unencrypted Passport Numbers Accessed in Starwood Breach

Starwood Header

In November 2018, Marriott announced that there was unauthorized access to their Starwood Preferred Guest reservation system and that the data for up to 500 million guests had been compromised. In an update today, Marriott has stated that the amount of affected customers is lower than expected at 383 million, but that 5.25 million unencrypted password numbers were accessed.

When the breach was first announced, Marriott had stated that there was unauthorized access to the Starwood reservation database since 2014 and that these third-parties had access to data such as passport numbers, Starwood Preferred Guest (SPG) account details, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

In an update released today, Marriott has stated that the total amount of affected victims is less than originally thought.

“Working closely with its internal and external forensics and analytics investigation team, Marriott determined that the total number of guest records involved in this incident is less than the initial disclosure,” Marriott stated in their update. “Also, the number of payment cards and passport numbers involved is a relatively small percentage of the overall total records involved.”

This security incident update revealed that the total amount of affected users had a upper limit of 383 million users rather than the original 500 million. They have also stated that approximately 5.25 million unencrypted passport numbers and 20.3 million encrypted password numbers were accessed.  There is no evidence at this time that the hacker was able to access the master decryption key for the encrypted numbers.

The update also states that 8.6 million unencrypted payment cards were accessed, with approximately 354,000 payment cards being unexpired as of September 2018.  They go on to say that there is no evidence that the third-parties had access to the key to decrypt these payment cards. As a precaution, though, they are searching through other fields in the database to make sure unencrypted payment information is not stored in them.

For those who were affected by this breach, Marriott has a dedicated support site at https://answers.kroll.com/ where users can sign up for a free web monitoring service and phone numbers that can be called for more information. They have also stated that customers can contact the listed phone numbers in order to receive a method to check if your passport numbers was one of the ones that was stored unencrypted in the database.

Finally, the original Starwood reservation database is now shutdown as part of their merger with Marriott. All reservations are now going through the Marriott reservation system.

Leave a Reply