Marriott Starwood Hack Update: 5 Million Passport Numbers Exposed, but Fewer People Impacted Than Initially Reported

Marriott logo
Marriott announced a hack in its Starwood reservations database in November. The company originally estimated that 500 million guests had their information compromised but is now saying that more than 383 million records were actually involved. Scott Olson/Getty Images

Following a November announcement about a hack to its Starwood reservations database, Marriott provided an update to customers Friday. The update includes a more accurate number of guests who used the Starwood database who had their passport numbers and payment information exposed in the hack.

Originally Marriott estimated that there were 500 million guests who had their information compromised but is now saying that more than 383 million records were actually involved. The company also noted that while 383 million is the upper limit of records that may have been compromised, that doesn't mean all 383 million records and guests definitely had their passport numbers or payment information compromised.

After first discovering the hack, Marriott launched investigations into its extent. The company worked with its internal and external forensics and analytics teams to learn more about the breach, according to a release. It was through that investigation that the company found that the initial estimate of those affected was higher than the actual number of customers who had their information exposed. The company also found that in some cases, the same customer had more than one record within the database.

The company also has updated estimates about how many passport numbers and how many payment methods were actually compromised. Marriott said that 5.25 million unencrypted passport numbers were part of the information that was compromised and accessed in the hack.

In addition to those unencrypted passport numbers, there were also 20.3 million encrypted passport numbers that were compromised. The investigation showed no evidence that the encryption key was accessed, however, so those encrypted passport numbers could be safe.

There were also 8.6 million payment cards that were compromised in the hack, though all of the numbers were encrypted and again there was no evidence that the encryption key was accessed. Some of those cards were also expired as of September 2018.

Customers worldwide concerned about the hack can contact Marriott via the call center ​and will be directed to the correct channels to determine whether their passport numbers were among those compromised. The company also said there were plans to create a website on which customers could plug in their passport numbers to check whether they were affected.