Marriott Sheds New Light on Massive Breach

Commenting on a new round of information about the massive data breach that struck Starwood Hotels, Marriott International now says that the breach was somewhat less massive than originally thought, affecting roughly 383 million records rather than the 500 million originally said to have been compromised.

The news about the passport information released is not as good: Marriott has now put a number on the breached passport records, and it's 5.25 million. That's the number of unencrypted passport numbers that were accessed; roughly 20.3 million encrypted numbers were grabbed by the perpetrators, though Marriott says that there is no evidence that the criminals got the key required for unencrypting the files.

Responding to the announcement, Matt Aldridge, senior solutions architect at Webroot, said, "A key question we need to ask is why do hotels need to store passport numbers? One of the biggest impacts of GDPR was that it forced companies to consider the personal data they hold and ask customers for, whether this data was really needed and if so how to properly protect it. This is a great example of too much data being collected and retained."

Marriott says that it will have a mechanism available on its website for guests to check in order to see whether their passport number was accessed; the company promises to update the website and notify the public when the mechanism is running.

For more, read here.