Two months after disclosing that hackers broke into its database, Marriott International has confirmed that unauthorized parties gained access to the passport numbers of millions of guests.
The hotel chain said in late November that there was a breach of its reservation database for its Starwood properties that may have exposed the personal information of up to 500 million people. The incident potentially affected guests who stayed at a Starwood hotel since 2014.
The breach was among the largest in history, ranking second only to the Yahoo data breaches that occurred in 2013 and 2014.
In a statement on Friday, Marriott said the number of guests involved in the data breach is lower than its original estimate of 500 million, but it didn’t give an exact figure. The chain said 383 million was the “upper limit” of potentially affected guests.
25 million passport numbers involved
Information possibly extracted in the breach included passport numbers, email addresses, and payment-card data, the company said.
Marriott said it has “concluded with a fair degree of certainty that information for far fewer than 383 million” people was compromised. The chain said that in many cases, there appear to be multiple records for the same guests.
Approximately 25.5 million passport numbers were also compromised in the breach, which spanned almost four years. Marriott said roughly 5.25 million of the 25.5 million passports numbers were stored in plain text.
Last month, Marriott said it would compensate consumers for passport replacements if they could provide evidence that they had been victims of fraud.
“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott,” Arne Sorenson, Marriott’s president and chief executive, said in a statement.