News

Starwood Hotels database breached including millions of passport numbers

Giulio Saggin
Giulio Saggin
Tuesday, 28 November 2023

The original notice about the Starwood guest reservation database security incident - released on November 30, 2018 - stated there may have been information on up to 500 million guests involved. This information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

Further data analysis has identified approximately 383 million records as the upper boundary for the total number of guest records that were involved. However, this does not mean 383 million unique guests, as in many instances there appear to be multiple records for the same guest. While 383 million is the upper boundary, the company is not able to quantify a lower number because of the nature of the data in the database.

Marriott now believes the following about the data involved in the incident: 18.5 million encrypted passport numbers, 5.25 million unencrypted passport numbers (663,000 from the US), 9.1 million encrypted payment card numbers and 385,000 card numbers that were still valid at the time of the breach. Data involved in the incident could also include several thousand unencrypted payment card numbers.

Speaking at a US Senate subcommittee on March 7, Arne Sorenson, the CEO of Marriott International, stated that "To date, we have not found evidence that the master encryption keys needed to decrypt encrypted payment card and passport numbers were accessed, but we cannot rule out that possibility."

He also said that, up to that point, they had "not received any substantiated claims of loss from fraud attributable to the incident and the security firms they engaged to monitor the dark web have not found evidence that the stolen information has been offered for sale".

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203