- After continued investigation, Marriott International identified about 383 million records "as the upper limit" for guests involved in the breach, as opposed to the initial 500 million disclosed in November, according to a company announcement Friday.
- However, the hospitality company also found about 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were compromised. Marriott has yet to find evidence suggesting the unauthorized party had access to the master encryption key needed for the 20.3 million passport numbers.
- About 8.6 million encrypted payment cards were involved, but Marriott found no reason to believe the intruder was able to access "components needed to decrypt" the cards.
The implicated server was inherited in the Starwood acquisition in 2016. The server had been unlawfully accessed since 2014.
When Marriott found the intrusion, the company discovered the perpetrators had worked on copying and encrypting the server's information and begun the process of removing it.
While investigations which include the Federal Bureau of Investigation continue, Marriott has "completed the phase out" of the compromised Starwood reservations database as of the end of 2018, according to the announcement. Reservations are now done under Marriott's server umbrella.
This is "another example of a merger and acquisition where testing the resiliency of the current security controls would have assisted in both the visibility of gaps and discovery that Starwood Hotels was already breached," said Stephan Chenette, CTO and co-founder of AttackIQ, in an email to CIO Dive.
The fault of the breach lays solely on Marriott despite the vulnerability coming from property owned by Starwood. The intruders gained access to an elite class of customers and personal data, including mailing address, guest account information, arrival and departure information, communication preferences, and of course, email, gender, birth date, etc.
"Marriott will feel the burden of this breach through fines under GDPR and damage to their reputation, potentially causing customers to turn to their competitors," said Chenette.