On Jan. 4, Marriott offered an update on the number of guests whose passport numbers and payment card numbers were involved in the Starwood reservations database security incident announced by the company on November 30, 2018.
Some might be surprised by the following revisions, but according to Cath Goulding, Head of Cyber Security, at Nominet, "Data breach investigations are often lengthy, as the affected organizations attempt to unravel all that took place. The additional information coming out now about the Marriott hack is just the latest example of how these tend to unfold."
After working closely with its internal and external forensics and analytics investigation team, Marriott said it determined that the total number of guest records involved is less than the initial disclosure. Also, the number of payment cards and passport numbers involved is a relatively small percentage of the overall total records involved.
Originally, the company thought that approximately 500 million guests would be affected by the breach. However, it now believes that 383 million is the "upper limit" for the total number of guest records affected. The company clarified that this does not mean 383 million unique guests. It concluded that there appear to be multiple records for the same guest in many instances and that it believes – "with a fair degree of certainty" – that the information of fewer than 383 million unique guests was compromised.
However, Marriot said it cannot quantify the unique number of guests involved due to the "nature of the data in the database."
Passport Information Update
The company also went on to say that it believes approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers. However, it said that there was no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.
"A key question we need to ask is why do hotels need to store passport numbers? One of the biggest impacts of GDPR was that it forced companies to consider the personal data they hold and ask customers for, whether this data was really needed and if so how to properly protect it. This is a great example of too much data being collected and retained. In some countries there are local government requirements that visitor data is recorded for their domestic security purposes. If this is the case, the relevant personal data should be transferred directly into the relevant intelligence, customs or border control system and should not be retained by the hotel. This is just one example among far too many where data is being requested and stored without proper justification and certainly without appropriate measures in place to protect that data," says Matt Aldridge, Senior Solutions Architect at Webroot.
Payment Card Information Update
Marriott also said it believes that approximately 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018. There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.
While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests
Starwood Reservations Database Discontinued
The company has completed the phase out of the operation of the Starwood reservations database, effective the end of 2018. With the completion of the reservation systems conversion undertaken as part of the company's post-merger integration work, all reservations are now running through the Marriott system.