Marriott Updates Guests On Its Massive Security Breach…And The News Isn’t Great

a logo on a black background may receive commission from card issuers. Some or all of the card offers that appear on are from advertisers and may impact how and where card products appear on the site. does not include all card companies or all available card offers.

Some links to products and travel providers on this website will earn Traveling For Miles a commission which helps contribute to the running of the site – I’m very grateful to anyone who uses these links but their use is entirely optional. The compensation does not impact how and where products appear on this site and does not impact reviews that are published. For more details please see the advertising disclosure found at the bottom of every page.

At the end of November 2018 Marriott announced that, earlier in the month, it had called in security experts after its systems had detected an unauthorised attempt to access one of its databases.

The subsequent investigation suggested that there had been a security breach in the Starwood database since 2014 (no, that’s not a typo) and that the personal and private details of up to 500 million guests had been compromised.

The details available to the hackers were said to range from names and addresses all the way through to dates of birth, passport numbers and all the credit card details a hacker could possibly want – this was one of the biggest hacks we have ever heard about.

a tall building with a roof over it

Marriott has now issued an update on the security breach and this is what the hotelier has had to say:

Update on the Number of Guests Involved

Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated. 

Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident. 

This does not, however, mean that information about 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest. 

The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.

Well, that’s a little bit of good news.

As Marriott has said that it was the Starwood reservations database that was compromised it makes sense that some the information was duplicated as guests booked stays more than once…it’s just a shame Marriott can’t yet identify an exact number of guest affected.

a body of water with a building and palm trees
JW Marriott Desert Springs

Passport Information Update

Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers. There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.

Wow! 5.25 million people have had their passport number stolen and there’s no doubt that the hackers can see the number clearly….and that raises an interesting question – why were there any unencrypted passport numbers in the database in the first place?

Presumably there’s a procedure in place to encrypt the numbers (which is why there were a further 20.3 million encrypted numbers in the database) so why were 5.25 million numbers left unencrypted?

That seems stunningly incompetent.

Marriott says that it’s taking steps to help those who think their passport details may have been leaked:

Marriott is putting in place a mechanism to enable its designated call center representatives to refer guests to the appropriate resources to enable a look up of individual passport numbers to see if they were included in this set of unencrypted passport numbers.

Marriott will update its designated website for this incident ( when it has this capability in place.

The website lists phone numbers to reach the company’s dedicated call center and includes information about the process to be followed if guests believe that they have experienced fraud as a result of their passport numbers being involved in this incident.

a large hotel with a parking lot

As far as credit card security goes Marriott has an update on that too:

Payment Card Information Update

Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident.  Of that number, approximately 354,000 payment cards were unexpired as of September 2018.  There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.

While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted.

Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers.

The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests.  

Further updates will be made to the dedicated website:

Guests who have questions related to their payment cards should visit for more information, including toll-free phone numbers to reach the company’s dedicated call center.

Ok, first the good news – Marriott says that the credit card details were encrypted and that there is no evidence that the hackers gained access to the tools needed to decrypt the information.

Now the bad news.

Why is Marriott having to see if card data was “inadvertently” entered into fields that were not encrypted?

I don’t care how few cards may or may not be involved here, the idea that Marriott’s systems or its staff could potentially move encrypted data to unencrypted areas of the database beggars belief….why would you need to do that?

a building with palm trees

Guest Support

If you haven’t been in touch with Marriott yet and are concerned about this data breach there are channels you can go through to get help.

Dedicated Website and Call Center
Marriott has established a dedicated website ( and call center to answer questions guests may have about this incident. The frequently asked questions on have been updated and may be further supplemented from time to time.  The call center is open seven days a week and is available in multiple languages.

Free Web Monitoring
Guests from countries and regions listed on the site have the opportunity to enroll in web monitoring services free of charge for one year. Please visit and click on Free Identity Monitoring to learn more.

Bottom Line

The number of people potentially affected by this data breach may be lower than first thought but Marriott is not coming out of this looking any better following the update.

Serious questions need to be asked about the level of incompetence on display here.

I’d love to know why any organisation would ever hold unencrypted private data (passport numbers) on its systems?

I’d also like to know what procedure/system was in place that potentially allowed confidential encrypted information (credit card details) to be copied as unencrypted data into other parts of a database.

Who would need to do that and why? Surely that should be impossible to do in a truly secure environment.

Overall Marriott (and Starwood before it) are looking very bad here and there’s more than a whiff of negligence in the air if the information we have been givenis accurate.

From what we’ve been told it sounds as if there were at least two areas where security was virtually non-existent (both involving unencrypted data that should have been encrypted) and that led to a situation where hackers got their hands on sensitive information without having to decrypt anything at all – the information was just sitting their waiting to be siphoned off.

It’s hard to overstate how appalling that is in this day and age.


Comments are closed.