Marriott has advised customers that the data breach it disclosed last November involves fewer guest records than previously thought.
The hotel giant initially discovered the breach, affecting the Starwood guest reservations database, back in September 2018 and, after an initial investigation, admitted that it affected some 500 million guest records.
The attack took place over a four-year period between 2014 and September 2018, when it claims the hack was discovered.
Marriott now says that “working closely with internal and external forensics and analytics investigation,” it believes the number to be about 383 million records.
Subscribe to our newsletter below
A statement from the company also says that the number of payments cards and passport numbers included in the breach is a “relatively small percentage” of the total records.
It goes on to say: “The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.”
The statement adds that about 5.25 million unencrypted passport numbers were included in the data breach and information accessed also includes about 20.3 million encrypted passport numbers.
Meanwhile, 8.6 million encrypted payment cards are said to have been involved in the breach of which about 354,000 were unexpired when Marriott encountered the attack in September.
The statement adds: “There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers."
Marriott says it has now phased out "operation" of the Starwood database involved in the attack and that all reservations are running through the Marriott system.
The company completed its acquisition of Starwood in September 2016.
Not the end of the story
The attack has raised major concerns in the hospitality industry around how the breach occurred as well data privacy and security issues and whether there is a need for more regulation.
There are also wider issues for the Marriott brand in terms of regaining customer trust.
Brian Vecci, technical evangelist at security software company Varonis, says it’s not enough for companies to just stress their commitment to protecting customers’ data - they must show how and back it up.
“Whenever a major breach occurs, companies issue an apology, reaffirm their commitment to protecting customer data and offer data monitoring as a consolation prize. At that point, the damage has already been done and it’s little help to those affected. These steps also don’t address the root of the problem: Companies have too much sensitive data that’s unmonitored and at risk.
"In the long term it’s going to take time and commitment to win back consumer trust by putting the right kinds of security and privacy controls in place to make sure a large breach doesn’t happen again.”