Marriott downgrades severity of 2018 data breach: 383 million customers affected

In November 2018, hotel giant Marriott disclosed a data breach affecting its Starwood chain, in which up to 500 million customers’ personal data was stolen.

It has now completed its investigation into the incident and revised its estimate of affected customers to a slightly less disastrous 383 million.

The majority of stolen records were names and contact details, but Marriott has confirmed that the crooks (who are allegedly part of a Chinese intel-gathering operation) also stole 25.55 million passport numbers, of which 5.25 million were unencrypted, and 8.6 million payment card details, all of which were encrypted.


Data breaches are never causes for celebration, but Marriott’s update provides two reasons for optimism.

First, its original disclosure didn’t downplay the damage of the breach in order to protect the organisation’s reputation. Instead, it weathered the negative reaction, made sure that all potentially affected customers were notified and ultimately put a positive spin on the story.

That’s not to say we shouldn’t forget about the millions of customers whose data is affected, but it shows a level of responsibility that was lacking with the likes of Yahoo, which repeatedly bungled its data breach response.

Second, Marriott was originally unsure whether its Advanced Encryption Standard (AES-128) technology would hold up to the crooks’ attack, but it has since revealed that “there is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.”

This means it’s likely that the encrypted data, which accounts for the majority of sensitive information involved, won’t have been misused.

What now for Marriott?

Marriott suspects that there are up to 2,000 instances of customers accidentally entering their payment details in the wrong field, meaning the information was stored as plaintext and accessible to the criminal hackers. The organisation is analysing its database to find instances of this, and will notify affected individuals.

In the meantime, it is maintaining its FAQ page and phone service for those with additional questions.

Finally, Marriott confirmed that it has now phased out its Starwood reservation system, which had been used in many of its smaller hotel brands. It has been replaced by the hotel chain’s central reservations system.

Sign up to the Daily Sentinel for all the latest cyber security news and advice.