While downsizing the estimate of how many guests were impacted by the historic breach of its hotel reservation system, Marriott International on Friday announced that roughly 5.25 million unencrypted passport numbers are now among the sensitive data illegally obtained by hackers unknown.
Saying its initial count of 500 million victims was too high, the company offered a new estimate of fewer than 383 million people; a figure based on the number of guest records found in its database. Because the system, it said, occasionally generates multiple records for a single guest, what the company really disclosed on Friday is that, as of right now, it basically has no idea how many people have actually been affected.
Regardless, the breach of Marriott’s Starwood hotel unit seems poised to earn the title of the largest known breach of personal data, dwarfing Equifax’s 2017 security incident by more than a hundred million souls.
“The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database,” the company said.
In addition to passport data, which some theorise could be used by malign actors to track international travellers, approximately 345,000 unexpired payment cards were stored by the company. This data was encrypted, the company says, and no evidence has yet surfaced to suggest the decryption keys were stolen.
A small number of payment cards — “fewer than 2,000" — may have been stored separately and in an unencrypted format, according to Marriott. “The company is continuing to analyse these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests,” it said.
Marriott added that it completed the phase-out of the Starwood reservation system, the scene of the crime.
Speculation is rampant of a Chinese connection. Reuters first reported in December on suspicions about Beijing’s involvement, which, if true, would seem to indicate an crime of espionage rather than one motivated by financial gain. Private investigators examining the breach have uncovered “hacking tools, techniques and procedures” suggesting China’s involvement, the newswire said, citing three sources not authorised to discuss the matter.
With the midterm elections now in the rear view, China has more or less toppled Russia as the primary focus of concern for U.S. officials with regard to state-sponsored cyberattacks. Hackers with links to the People’s Liberation Army are believed to routinely carry out sophisticated attacks on American companies, attempting to steal confidential and proprietary knowledge in pursuit of economic and technological dominance over the United States.
Last month, charges were unsealed against two Chinese intelligence officers over alleged involvement in hacking campaigns targeting over 45 businesses, as well as government agencies, including the Department of Energy and NASA’s Jet Propulsion Laboratory.