A massive breach of Marriott guest data that was thought to have affected around 500 million people may have had a smaller impact than initial reports suggested, but also exposed the passport numbers of several million people, the company announced on Friday.
Marriott first disclosed the breach on November 30, saying hackers targeted its Starwood reservation system and accessed the personal information of hundreds of millions of guests who had stayed in the hotel chain’s properties since 2014.
The company has since identified roughly 383 million records “as the upper limit for the total number of guest records that were involved in the incident,” according to the latest release, though it noted that some of those records were duplicates. Of those 383 million, approximately 5.25 million guests’ unencrypted passport numbers were included, as well as 20.3 million encrypted passport numbers. Approximately 8.6 million encrypted credit or debit card numbers were also exposed.
Some experts believe that the breach may have been the result of a Chinese intelligence-gathering effort, according to a December report by the New York Times. Marriott began investigating the hack in September and has yet to publicly identify the culprit, but two people with knowledge of the investigation told the Times that the hackers may have been working on behalf of China’s Ministry of State Treasury and also targeted health insurers and security clearance files. The Wall Street Journal reported on Friday that government officials familiar with the investigation “increasingly view China as the leading suspect in the breach.”
Marriott has yet to confirm this information. “Our primary objectives in this investigation are figuring out what occurred and how we can best help our guests,” a Marriott spokesperson told Vox in December. “We have no information about the cause of this incident, and we have not speculated about the identity of the attacker. We alerted law enforcement and are cooperating with the investigation.”
Who is affected by the Marriott hack?
The hack affected an estimated 300 million guests who have stayed at Marriott’s Starwood brand hotels since 2014. Those properties include the W Hotels, the St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, the Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, Design Hotels, and Starwood-branded timeshares, according to the company. (Marriott acquired Starwood Hotels & Resorts Worldwide in 2016 for $13.6 billion.)
Marriott will begin emailing guests whose information may have been compromised on November 30, the company said in a statement. It has also set up a dedicated website and call center for guests who have questions about the hack and whether their information was compromised, and is giving guests in the US, UK, and Canada free year-long subscriptions to WebWatcher, a software that alerts users of potential identity theft or fraud.
“The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted,” Ted Rossman, an industry analyst at CreditCards.com, told Skift, a business-to-business media company that reports on the travel industry. “People should be concerned that criminals could use this info to open fraudulent accounts in their names.”
Rossman recommended that anyone whose information may have been compromised freeze their credit cards to prevent the hackers from opening fraudulent accounts in their name.
How to protect yourself against big data breaches and hacks
Marriott is by no means the first big company to get hacked. Mashable keeps a running list of companies that have been hacked, including eBay, Home Depot, and Chipotle. Target was hacked in 2005, and again in 2014; the second breach affected 70 million people. In 2017, hackers targeted the credit reporting agency Equifax, exposing the information of more than 145 million customers — nearly half the total US population.
After last year’s Equifax hack, Wired put together a guide to protecting yourself and your information. Some of the tips are straightforward, like changing your passwords and using a password manager instead of reusing passwords from site to site. They also suggest that you check the website HaveIBeenPwned to see if your information is floating around somewhere on the internet without your knowledge. If your information has been compromised, the good news is that passwords and credit card numbers are easy to change. If hackers got access to your Social Security number, though, Wired suggests you keep an eye on your bank account from now until the end of time.
Even if your information wasn’t compromised in the Marriott hack, it’s possible that at some point, your name, address, credit card information, or even your Social Security number has been exposed through some kind of corporate hack. The Marriott hack is being described as one of the biggest data breaches in history — and it’s unlikely to be the last.