Marriott says 25 million passport numbers, some unencrypted, involved in massive breach

Marriott International said Friday that 383 million customer records were stolen in a data breach last month, down from the hotel chain’s original estimate of 500 million.

Roughly 25.5 million passport numbers also were compromised in the data breach affecting Starwood Hotels reservation system, the company said in a statement. Hackers spent roughly four years inside Starwood’s networks, the company announced Nov. 30.

The breach is the one of the largest ever reported and is under investigation by at least five U.S. states as well as European regulators.

Some 5.25 million of the 25.5 million passports numbers were stored in plain text, Marriott said Friday, providing hackers with a valuable means of stealing individuals’ identities. The hotel chain previously said it would compensate customers for passport replacements if they can prove they had been victims of fraud.

The company also said it believes that approximately 8.6 million encrypted payment cards were involved in the attack.

The roughly 383 million customer files is the “upper limit” of the total number of records involved in the breach, Marriott said. The company “has concluded with a fair degree of certainty that information for far fewer than 383 million” people was involved, adding there are multiple records for the same guests in that database.

“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott,” Arne Sorenson, Marriott’s president and chief executive, said in the statement.

This data breach began in 2014, roughly one year before Marriott International offered to purchase the Starwood hotel chain. Starwood properties include Westin, Sheraton, St. Regis, Aloft and other brands located worldwide.