Marriott says 383m customers were hit in data breach

(Image credit: Wikimedia)

Following the disclosure of its massive data breach in November, the international hotel chain Marriott has released an update on the incident revealing that fewer guests were affected than previously thought.

In a press release, the hotel chain explained that 383m guests were affected by the breach as opposed to its initial estimate of 500m, saying:

"Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident. This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest." 

However, while the number of affected guests has been lowered, Marriott confirmed that the hackers responsible did manage to steal approximately 5.25m unencrypted passport numbers. They also stole 20.3m encrypted passport numbers but the hotel said there is no evidence that they acquired the master encryption key needed to decrypt them.

Stolen card details

Marriott also provided an update regarding the payment card details stolen during the hack. According to the hotel chain, the hackers stole 8.6m encrypted payment cards but once again they did not manage to get their hands on the encryption key needed to decrypt them.

Even if the hackers had stolen the encryption key, only 354,000 cards were still valid in September 2018, so most of the card details would have been useless.

Marriott also discovered several cases where customers had accidentally entered their payment information in the wrong reservation fields. This means that those numbers were not encrypted and appeared as plain text to the hackers behind the breach. Luckily though, the number of customers who did this came in at less than 2,000.

Finally the hotel chain announced that it had phased out its Starwood reservation system after it was breached. The system had been used at Marriott's subsidiary Starwood and many of its smaller hotel brands. Going forward, Starwood and all of its subsidiary brands will be managed by the hotel's central reservations system.

  • Also check out the best antivirus to help keep your systems safe online
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.