Arne Sorenson, chief executive of Marriott, said: "We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened". They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points.
When Marriott revealed the attack on November 30, it said hackers had used a breach in the Starwood Hotels & Resorts reservation database to gain access to records for as many as 500 million guests. Marriott will soon enable customers to access "resources" to see whether their passport numbers were exposed.
Marriott added that it completed the phase-out of the Starwood reservation system, the scene of the crime. Of those, 354k of the cards were still unexpired by September 2018.
In a statement released Friday, the hotel chain said the "upper limit" for the number of potentially compromised guests is around 383 million, though it's likely that some of those records are duplicates. The company cautions that this doesn't necessarily mean 383 million individual guests were impacted, as there are apparently multiple records for the same guest.
- Marriott says fewer guest records than originally thought were accessed during a data security breach reported past year but did confirm there was unauthorized access to millions of passport numbers during the incident.
Further investigation into the incident, which hit the reservation system of the company's Starwood portfolio in 2014, estimates that a total of 5.25 million unencrypted passport numbers were obtained, as well as 20.3 million encrypted passport numbers. This data was encrypted, the company says, and no evidence has yet surfaced to suggest the decryption keys were stolen. The website lists phone numbers to reach the company's dedicated call center and includes information about the process to follow if guests believe they experienced fraud as a result of their passport numbers being involved in this incident. They go on to say that there is no evidence that the third-parties had access to the key to decrypt these payment cards. Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers.
The company also has updated estimates about how many passport numbers and how many payment methods were actually compromised.
A clearer picture is emerging of the massive data breach that Marriott International Inc. disclosed in November.