Marriott International says its recently discovered mega-breach isn’t quite as bad as first advertised, in terms of the total number of victims. But it also warns that hackers stole 5.25 million unencrypted passport numbers that its hotels were storing as well as 8.6 million encrypted payment cards.
On Nov. 30, 2018, Marriott said it had suffered a breach that began in 2014 with a breach of the reservation database used by Starwood Hotels & Resorts Worldwide, which Marriott acquired in September 2016 for $13 billion (see: Marriott’s Mega-Breach: Many Concerns, But Few Answers).
Marriott originally estimated that the breach exposed information for 500 million customers. It also said that for 327 million customers, exposed information included their “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.”
But on Friday, Marriott said that instead of its estimate of 500 million customers having had some form of personal information exposed, it now believes that 383 million is the “upper limit” of affected customers.