Marriott revealed for the first time, in a statement posted online, that hackers accessed approximately 5.25 million unencrypted passport numbers. The attack resulted in another 20.3 million encrypted passport numbers being swiped, but there is no evidence that the hackers were able to decrypt the data, the statement said.
Translated into another code, only available to those with access to a digital key, encrypted data is harder for hackers to obtain and considered more protected, according to experts.
Marriott also said that the breach affected an estimated 383 million “unique guests,” down from the original estimate of 500 million given when the company said in November that its Starwood guest reservations database had been penetrated by hackers.
The Maryland-based hotel chain said it updated its figures following the work of a “forensics and analytics investigation team.”
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” Arne Sorenson, Marriott’s president and chief executive, said, according to the company’s statement. “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
Despite a decrease in the estimated number of affected customers, the Marriott breach remains among the largest data heist in history, according to The Associated Press. The data of more than 140 million Americans was exposed when Equifax was hacked in 2017, and 40 million customers had their credit card information stolen by hackers from Target in 2013.
The compromised passport numbers represent a fraction of the total data stolen by hackers, according to the company’s latest figures.
As the Post reported in November, the hackers – who gained access to Marriott records on Nov. 19 – were able to access names, addresses, phone numbers, email addresses, as well as loyalty program account information, dates of birth, gender and reservation information.
“Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident,” the company statement said Friday, adding that 354,000 of those cards were unexpired as of September.
The company also said that while “there is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers,” it cannot rule out the possibility.
The FBI is overseeing the investigation into the data breach, which experts suspect was directed by the Chinese Ministry of State Security, according to AP.
Chinese government officials have denied involvement in the attack and promised to carry out an investigation if they’re offered evidence of wrongdoing, according to Reuters.
Priscilla Moriuchi – an analyst with Recorded Future who worked for the National Security Agency until 2017 – told AP that unencrypted passport numbers are particularly useful for tracking people’s movements and learning about their history.
“You can identify things in their past that maybe they don’t want known, points of weakness, blackmail, that type of thing,” she said.
This article was written by Peter Holley, a reporter for The Washington Post.