The company said the contents of the stolen data were from the Starwood guest reservation database, which it acquired when it bought Starwood and its 1,200 properties in 2016 for $13 billion. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points.
The company reported that approximately 8.6 million encrypted payment cards were involved in the incident and that approximately 354,000 of those payment cards were unexpired as of September 2018.
While the passport numbers would be considered sensitive personal information that should not be made public, the numbers and names of guests alone would not be enough for a criminal to create a forged passport.
"Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident", the hotel chain said today. Because the system, it said, occasionally generates multiple records for a single guest, what the company really disclosed on Friday is that, as of right now, it basically has no idea how many people have actually been affected.
Bolsonaro confirms eventual embassy move to Jerusalem
He said Brazil now seeks closer economic ties with the U.S. and that there can be military agreements between the two countries. We are aware of the intentions of the dictatorship of [Venezuelan President Nicolas] Maduro.
In addition to updating its information about impacted guests, Marriott has stated that it believes around 5.25 million unencrypted passport numbers were accessed by the hacker (s).
Saying its initial count of 500 million victims was too high, the company offered a new estimate of fewer than 383 million people; a figure based on the number of guest records found in its database. There is no evidence that they were able to use the master encryption key required to gain access to that data. Some of those cards were also expired as of September 2018. They go on to say that there is no evidence that the third-parties had access to the key to decrypt these payment cards. Marriott said it believes that there may be a small number, (less than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The website lists phone numbers to reach the company's dedicated call center and includes information about the process to follow if guests believe they experienced fraud as a result of their passport numbers being involved in this incident.
The company also has updated estimates about how many passport numbers and how many payment methods were actually compromised.
Marriott said in its Friday update that it has "completed the phase out" of Starwood's reservation database and now runs guest bookings through its Marriott database, which was not affected by the breach.