Marriott International has scaled back the number of customers whose data might have been stolen in what it termed “unauthorized access” to its Starwood brand reservations database that was first disclosed in late November.
The Bethesda-based company in a statement released Friday morning said an analysis “has concluded with a fair degree of certainty” that the data breach involved less than 383 million guest records, down from the 500 million originally feared, from its Starwood lodging group computer systems.
Cybersecurity experts have said the breach, which may have started five years ago, appears to be part of a pattern of system break-ins targeting large companies and government agencies this decade.
In its announcement, Marriott said it has finished merging the Starwood reservation system with its own. Starwood brands include Sheraton Hotels & Resorts, Westin Hotels & Resorts, W Hotels and some timeshare properties.
Marriott called the 383 million figure the “upper limit” of guest records might have been taken, stressing that there might be multiple records for the same guest.
Marriott estimated 5.25 million unencrypted passport numbers, and 20.3 million encrypted passport numbers, might have been taken. In addition, 8.6 million encrypted credit or payment cards might have been stolen.
The company said a forensics analysis has found no sign that the computer codes needed to unlock encrypted data was taken. There was no mention if a source of the attacks has been determined.
Hackers could have taken names, addresses, telephone numbers, email addresses, passport numbers, birth dates, gender, loyalty program account information, and reservation histories, according to the hotelier and Federal Trade Commission.
“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott,” Arne Sorenson, Marriott’s president and CEO, said in a statement.
Marriott has offered to pay for a year of web data monitoring for customers and has established an around-the-clock call center to field questions.
