Marriott lowers estimate to 383 million guests exposed in breach

Register now

Marriott International Inc. says the number of guest records exposed in a cyber-security breach is lower than it estimated when it disclosed the attack in November.

After consulting internal and external investigators, the world’s largest lodging company now believes that no more than 383 million customers -- and probably fewer -- had their data exposed to unauthorized parties, Marriott said Friday in a statement. The company also provided a new accounting of the number of guests who had passport and credit-card data exposed.

Marriott didn’t provide any update on how thieves entered the system or why it took so long to discover the breach, which dates back to 2014. A company spokeswoman declined to comment on the subject.

“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” Chief Executive Officer Arne Sorenson said in the statement. “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”

When Marriott revealed the attack on Nov. 30, it said hackers had used a breach in the Starwood Hotels & Resorts reservation database to gain access to records for as many as 500 million guests. Marriott acquired Starwood in 2016 for $13.6 billion, adding die-hard loyalty members and an unforeseen security problem.

Marriott said today that the number of customers affected is probably fewer than 383 million because there were often multiple records for a given guest, but that it can’t quantify the total due to the nature of the data.

The company also provided new details, saying the breach exposed about 5.3 million unencrypted passport numbers, 20 million encrypted passport numbers and 8.6 million encrypted payment cards. The company said it didn’t find evidence that the hackers were able to decrypt the protected data.

Bloomberg News
Data security Cyber security Personally identifiable information