There’s the slightly good news, and then there’s the really bad news.
International hotel chain Marriott International, Inc. announced Jan. 4 that the massive hack of its Starwood customer database first reported in Nov. was both simultaneously less troublesome and a whole lot worse than initially thought.
Let’s get that bad news out of the way first: It turns out that over five million customers’ passport numbers were stolen by what is believed to have been hackers working for the Chinese government, and that data was unencrypted.
As for the sort of good news: According to an update published to the company’s website, the total number of guests affected by the hack is likely not the 500 million first feared. It’s still a lot, though.
“The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved,” reads the update, “although the company is not able to quantify that lower number because of the nature of the data in the database.”
Got that? So instead of 500 million people, only up to 383 million Marriott guests (but maybe less) need to worry that unknown hackers have access to their personal data. But, as mentioned above, the update also notes that some of the stolen information was unencrypted — meaning that whoever took it should have no trouble accessing it.
And the unencrypted data in question just so happens to be passport numbers.
“Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party,” the update explains. “The information accessed also includes approximately 20.3 million encrypted passport numbers.”
The company says it has “no evidence” that hackers got the “encryption key needed to decrypt the encrypted passport numbers.” So, assuming you trust Marriott’s statement, that’s good at least.
As the New York Times notes, that hackers got so many unencrypted passport numbers is particularly worrying. Notably, in the hands of a foreign intelligence service, the numbers would allow said agency to track people as they move around the globe. In addition, in the form of a hotel chain’s database, it might allow for conclusions to be drawn regarding who guests travel and work with. This could cause problems for government employees or contractors.
But don’t stress too hard about this, as Marriott is here to assure you that the barn door has finally been closed on its Starwood reservation database effective 2018. Too bad it couldn’t have managed that feat five years ago.