There is some good and bad news for Marriot users. For the good news part, Marriot International Inc. executives have said that Marriot data breach, one of the biggest hacking of personal data in the corporation’s history, was not quite as big as first feared. But at the same time, more than 5 million passport numbers were compromised.
Marriott International, the world’s largest hotel company, said on Friday that the breach of its Starwood reservation database did not affect as many customers as it first feared. The company said that the figure was a worst-case scenario because it included a large number of duplicate records.
When the attack was first reported by Marriott in late November, it said that data of over 500 million guests might have been stolen.
According to an update published to the company’s website, the estimated customers with personal data stolen comes down to about 383 million. Also, it’s unlikely to be even 383 million “unique guests”, because there appears to be a number of “duplicate records” for guests.
The company gave no further guidance on who may have been behind the hacking. It turns out that over five million customer’s passport numbers were stolen, by what is believed to have the Chinese government involved behind the scenes.
However, Chinese government officials have denied involvement in the attack and promised to carry out an investigation if they’re offered evidence of wrongdoing.
“If offered evidence, the relevant Chinese departments will carry out investigations according to the law”, Geng Shuang, a spokesman for China’s Ministry of Foreign Affairs.
This might be a problem; as the encrypted passport numbers are valuable to state intelligence agencies. Because Passport numbers can be used to track down where government officials, diplomats, and adversaries have stayed, which can identify things in their past that they don’t want to be known.
So far, there are no known cases in which stolen passport or credit card information was found in fraudulent transactions. Investigations into data breaches typically take several months at least, and the government often doesn’t publicly attribute a hack to a foreign adversary until years later, if by any means at all.