Marriott International has revised the number of guests
affected by a major
data breach of the Starwood reservations system announced in November,
reducing the number of "potentially involved" customers to 383
million from its initial estimate of 500 million. The true number is likely
even lower, due to "many instances" of multiple records existing for
the same guest, Marriott said.
Among the data accessed during the breach, which ran from
2014 until it was discovered in September 2018, were 5.25 million unencrypted
passport numbers, along with 20.3 million encrypted passport numbers, according
to Marriott. There is "no evidence" that hackers accessed the master
encryption key needed to decrypt the encrypted passport numbers, the hotel
giant added, but unencrypted numbers were free for the taking.
Payment card data also was accessed during the breach, with
8.6 million encrypted payment cards involved in the incident. However, all but
354,000 were expired as of September 2018. There is "no evidence"
that any of the components needed to decrypt the card numbers were accessed,
Marriott said. Nonetheless, the hotel chain is performing additional analysis
to determine whether payment card numbers were entered into other data fields
that were not encrypted.
Marriott continues to offer support for customers affected
by the breach, including a dedicated website and call center. The phaseout of
the Starwood reservations system, undertaken as a result of Marriott's 2016
acquisition of Starwood, was completed as of the end of 2018, with
all reservations now running through Marriott's system.
The data breach is believed to be the
work of Chinese government intelligence gathering efforts, according to
reports. Chinese officials have denied responsibility.
After the November announcement of the breach, some
corporate travel managers said they would
consider including in their supplier contracts provisions that mandate
card and passport replacement in the event of a breach. And the inclusion of
payment card information among the exposed data could provide more impetus for
adoption of one-time-use virtual cards in the corporate travel sector.
Meanwhile, the unauthorized access of passport numbers
raises the question of whether hotels should collect such data in the first
place, according to Matt Aldridge, senior solutions architect at Webroot, a
cybersecurity and threat intelligence specialist. One of the biggest impacts
of the European Union's General Data Protection Regulation "was
that it forced companies to consider the personal data they hold and ask
customers for, whether this data was really needed and if so how to properly
protect it," noted Aldridge. "This is a great example of too much
data being collected and retained."
While some countries and local governments require
hotels to store guest data for domestic security purposes, Aldridge said the
hotel should transfer it directly to the proper authorities rather than retaining
by the hotel. "This is just one example among far too many where data is
being requested and stored without proper justification and certainly without
appropriate measures in place to protect that data," said Aldridge.
Updated at 4:15 p.m. Eastern on March 4, 2019, to remove the assertion that the Starwood data breach is the largest in U.S. history.