Published: Sun, January 06, 2019
Business | By Eloise Houston

Marriott says fewer guests affected in Starwood hack

Marriott says fewer guests affected in Starwood hack

The company said it didn't find evidence that the hackers were able to decrypt the protected data.

Starwood hotels, which include Trump Turnberry in Ayrshire, London's Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly, have ceased using their own reservation database since the end of 2018 and have now integrated with the Marriott system.

Hotel megachain Marriott International has gone into further detail on the cyber-raid on its reservation database, including the number of payment cards and passport details siphoned off by hackers. In an update today, Marriott has stated that the amount of affected customers is lower than expected at 383 million, but that 5.25 million unencrypted password numbers were accessed.

Marriott is putting in place a mechanism to enable its designated call center representatives to refer guests to the appropriate resources to enable a look up of individual passport numbers to see if they were included in this set of unencrypted passport numbers.

In November 2018, Marriott announced that there was unauthorized access to their Starwood Preferred Guest reservation system and that the data for up to 500 million guests had been compromised.

After consulting internal and external investigators, the world's largest lodging company now believes that no more than 383 million customers - and probably fewer - had their data exposed to unauthorized parties, Marriott said Friday in a statement.

"This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest", Marriott added.

The hotel giant said there's no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers. It is still investigating how many stolen payment card numbers were not encrypted.

Last but not least, Marriott said it also discovered cases where users accidentally entered their payment card numbers into the wrong reservation fields, meaning these numbers weren't encrypted, and are still accessible to hackers in cleartext. Replacing a passport is much more time consuming and involved than replacing a payment card compromised in a breach, and passport numbers are quite valuable as unique identifiers.

Marriott has established a dedicated website ( and call center to answer questions guests may have about this incident.

Marriott said in its Friday update that it has "completed the phase out" of Starwood's reservation database and now runs guest bookings through its Marriott database, which was not affected by the breach.

Like this: