In November last year, Marriott International announced that up to 500 million hotel guests may have had their data stolen after it discovered there had been "unauthorised access" to one of its databases since 2014. The breach was identified during an investigating into a security incident that occurred on 8 September 2018.
At the time, the company said the breach was limited to Marriott International's Starwood database, which contains information on guests who stayed at hotels under the Starwood brand, which includes W Hotels, St. Regis, Sheraton Hotels & Resorts and Westin Hotels & Resorts, but it confirmed that guests' names, addresses, phone numbers, passport numbers, date of birth, gender, arrival and departure information, reservation dates and, in some cases, payment card details were compromised.
In a new statement, Marriott International said it had completed the "phase out" of the Starwood database that was affected. It also said it believes fewer than 383 million people were affected by the incident, but that it has not been able to confirm the precise number of customers impacted.
"Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident," the company said. "This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest. The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database."
Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said, though, that other new disclosures made by Marriott about its data breach highlighted the importance of encrypting data. He said businesses that fail to properly encrypt personal data, in particularly sensitive payment card data, will open their customers up to increased risk of fraud and that the companies may face associated claims for compensation under data protection law.
Marriott International confirmed that approximately 5.25 million unencrypted passport numbers had been "accessed by an unauthorised third party". A further 20.3 million encrypted passport numbers approximately were also accessed, but the company said there is "no evidence" that the hacker had also "accessed the master encryption key needed to decrypt those encrypted numbers.
The company also provided an update on the volume of payment card data that it believes were compromised in the breach. In total, approximately 8.6 million encrypted payment cards were affected, it said, and that "there is no evidence that the unauthorised third party accessed either of the components needed to decrypt the encrypted payment card numbers". It said it is conducting further checks to determine "if payment card data was inadvertently entered into other fields and was therefore not encrypted". It said fewer than 2,000 potential payment card numbers may have been stored in an unencrypted format.
Marriott International said its update on the breach came after work had been carried out by an internal and external forensics and analytics investigation team.
Birdsey said: "There are real challenges associated with mining and analysing data compromised in a breach to identify the number of individuals impacted and the categories of data concerned, most notably in the time this process takes to complete. Companies are often unfairly criticised for taking too long to notify. This ignores the myriad challenges and steps that need to be taken to determine with a reasonable degree of certainty who is impacted and to what degree."
"De-duplicating records is often a difficult exercise where multiple systems or brands are concerned, as appears to be the case here," he said.
"The categories of data concerned in this incident appear to be rich in nature so the risk of fraud is heightened where that data is unencrypted," Birdsey said.
Arne Sorenson, Marriott’s president and chief executive, said: "We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened. As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott."