Marriott Says Hackers Stole More Than 5 Million Passport Numbers

Marriott International Hospitality company logo seen

Hackers stole more than 300 million records from Marriott in 2014.

Igor Golovniov/SOPA Images/LightRocket via Getty Images

Marriott has downsized its original estimate on a major data breach, but the number of people affected is still historic.  

The hotel group announced Friday that it now believes hackers accessed the records of up to 383 million guests, following an investigation it conducted with a forensics and analytics team. In November, it had reported an estimate of as many as 500 million guests.

Even at that lower figure, the Marriott incident remains one of the largest personal data breaches in history, more than double that of Equifax, which exposed the personal data of 147.7 million American. Data breaches have become a common issue for massive companies that collect and store information on millions of people. In 2018, tech giants like Facebook and Reddit have fallen victim to data breaches.

Hackers look for poor protection that they can bypass to steal valuable details like Social Security numbers, birth dates, email addresses and credit card numbers.

Now playing: Watch this: Biggest hacks of 2018

3:26

In November, Marriott announced that hackers compromised the reservation database for its Starwood division, which the hotel group acquired in 2016. The Starwood group, which includes hotel lines like Sheraton, W Hotels, Westin, Le Meridien, Four Points by Sheraton, Aloft and St. Regis, had been hacked since 2014, Marriott said. 

"We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened," Arne Sorenson, Marriott's president, said in a statement.

Passport numbers swiped

The stolen data in Marriott's breach included names, addresses, phone numbers, credit card information, emails, passport numbers and travel details. 

The company announced that about 5.25 million unencrypted passport numbers were stolen in the hack, while another 20.3 million encrypted passport numbers were taken. 

"There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers," the company said in its statement. 

Marriott has offered to pay for new passports if affected guests can prove they were victims of fraud. That could cost the company up to $577 million. 

There were about 8.6 million encrypted credit card numbers stolen in the breach as well, Marriott said. It's still investigating how many stolen payment card numbers were not encrypted. 

So who's behind the Marriott breach? That remains unclear, though Reuters, The Washington Post and The New York Times reported that investigators believe China is responsible. On a Fox and Friends segment in December, Secretary of State Mike Pompeo said that China was behind the Marriott hack. 

The Department of Justice and the Department of State declined to back up his remarks. 

Lawmakers have called for companies to improve their cybersecurity, and Sen. Ron Wyden has introduced a Consumer Data Protection Act that, among other things, could lead to jail time for CEOs who've been found to have lied about data protection efforts.

To protect and serve: The rockstar hackers protecting you from the bad guys

Hacker rehab: Inside the boot camp reforming teenage hackers.

Share your voice