Marriott Starwood Guest Reservation Database Security Incident Update (February 15, 2019)


Marriott released an update on Friday regarding the Starwood Guest Reservation Database hack that had been going on for years and which was discovered last year.

Marriott Bonvoy Logo

Marriott has now determined that leaked data contained five million unencrypted passport numbers and twenty or so millions that were encrypted.

You can access Marriott Bonvoy here.

Here’s the update from Marriott (access here):

The initial announcement we made on November 30, 2018, about the Starwood guest reservation database security incident stated that there may have been information on up to 500 million guests involved. We also reported that for approximately 327 million of these guests, the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, and encrypted payment card numbers.

When we made this announcement, our work analyzing the data involved was underway. Since that time, we have been working to remove duplicate information and to determine how many records had particular types of data present.

After further data analysis we have identified approximately 383 million records as the upper boundary for the total number of guest records that were involved in the incident. This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest. We concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.

Allowing for the fact that even the most exhaustive investigation cannot necessarily provide complete certainty, Marriott now believes the following about the data involved in the incident:

  • There were approximately 8.6 million unique payment card numbers, all of which were encrypted;

  • There were approximately 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers.

Here’s the form they ask you to fill (access here):


Nobody should be surprised that Marriott tried to bury this update by releasing it on Friday that is used by companies to distribute negative information hoping that media wouldn’t catch it before the weekend and it would be old news by Monday.

Shouldn’t Marriott email customers whose passport information was in an unencrypted form and pay to have those replaced? Should only cost perhaps half a billion.

The other 20 or so million passport numbers that were encrypted are likely hacked too and Marriott should pay for their replacement as well. Perhaps another two billion plus all the expenses. Can we count Marriott to do the right thing?