A clearer picture is emerging of the massive data breach that Marriott International Inc. disclosed in November.

The hotel chain today released findings from the ongoing investigation into the hack, which was initially thought to have affected the records of up to 500 million customers.

All of the compromised information came from a guest database belonging to Marriott’s Starwood subsidiary. The hackers first gained access to the system in 2014, when Starwood was still a separate company, and went undetected until September 2018.

The good news is that the scope of the breach is smaller than previously believed. In its statement today, Marriott said the internal and external security teams running the investigation “identified approximately 383 million records as the upper limit” of the compromised data.

The number of affected guests is likely smaller still because of duplicate customer records. “The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database,” Marriott said.

There’s also bad news. The investigators found that the stolen data trove included approximately 20.3 million encrypted passport numbers and, most alarmingly, 5.25 million more numbers stored in a plain text. The latter batch could likely be easily read by the hackers as a result. 

Besides passport numbers, Marriott indicated back in November that the breach may have exposed other personal data such as customers’ mailing addresses, phone numbers and dates of birth. The compromised Starwood system also contained payment card information.

The hotel chain’s investigation found a total of 8.6 million debit and credit numbers in the database, though fortunately, they were better protected than the passport entries. Marriott said that all but about 2,000 of the numbers were kept in an encrypted form.

The reason the breach appears to have been limited to Starwood is that its guest database ran separately from the rest of the Marriott network. Marriott acquired the hotel group in 2016 as part of a $13.6 billion deal that naturally included a great deal of existing technology infrastructure. According to the company, it formally phased out the compromised guest system at the end of 2018.

Marriott’s investigation hasn’t yet identified the perpetrators of the breach. However, Reuters and The New York Times reported last month that security experts see similarities between the attack and previous large-scale data breaches attributed to China.

Photo: Marriott