Starwood Hotels database breached including millions of passport numbers
The original notice about the Starwood guest reservation database security incident - released on November 30, 2018 - stated there may have been information on up to 500 million guests involved. This information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Further data analysis has identified approximately 383 million records as the upper boundary for the total number of guest records that were involved. However, this does not mean 383 million unique guests, as in many instances there appear to be multiple records for the same guest. While 383 million is the upper boundary, the company is not able to quantify a lower number because of the nature of the data in the database.
Marriott now believes the following about the data involved in the incident: 18.5 million encrypted passport numbers, 5.25 million unencrypted passport numbers (663,000 from the US), 9.1 million encrypted payment card numbers and 385,000 card numbers that were still valid at the time of the breach. Data involved in the incident could also include several thousand unencrypted payment card numbers.
Speaking at a US Senate subcommittee on March 7, Arne Sorenson, the CEO of Marriott International, stated that "To date, we have not found evidence that the master encryption keys needed to decrypt encrypted payment card and passport numbers were accessed, but we cannot rule out that possibility."
He also said that, up to that point, they had "not received any substantiated claims of loss from fraud attributable to the incident and the security firms they engaged to monitor the dark web have not found evidence that the stolen information has been offered for sale".