Skip to main content

U.S. Business Marriott says fewer guests affected by data hack than feared, but compromised passports raise alarms

The exterior of a Marriott hotel in Santa Clara, Calif.

The Associated Press

Fewer Marriott guest records than previously feared were compromised in a massive data breach, but the largest hotel chain in the world confirmed Friday that approximately 5.25 million unencrypted passport numbers were accessed.

The compromise of those passport numbers has raised alarms among security experts because of their value to state intelligence agencies.

The FBI is leading the investigation of the data theft and investigators suspect the hackers were working on behalf of the Chinese Ministry of State Security, the rough equivalent of the CIA.

Story continues below advertisement

The hackers accessed about 20.3 million encrypted passport numbers. There is no evidence that they were able to use the master encryption key required to gain access to those data.

Unencrypted passport numbers are valuable to state intelligence agencies because they can be used to compile detailed dossiers on people and their international movements.

In the case of China, it would allow that country’s security ministry to add to databases of aggregated information on valued individuals. Those data points include information on people’s health, finances and travel.

“You can identify things in their past that maybe they don’t want known, points of weakness, blackmail, that type of thing,” said Priscilla Moriuchi, an analyst with Recorded Future who specialized in East Asia at the U.S. National Security Agency where she spent 12 years. She left the agency in 2017.

When the Bethesda, Md., hotel chain initially disclosed the breach in November, the company said that hackers compiled stolen data undetected for four years, including credit card and passport numbers, birthdates, phone numbers and hotel arrival and departure dates.

The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points. Starwood-branded time-share properties were also affected. None of the Marriott-branded chains were threatened.

Marriott said Friday that it now believes the overall number of guests potentially involved is around 383 million, less than the initial estimate of 500 million, but still one of the largest security breaches on record.

Story continues below advertisement

The 2017 Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.

Report an error
Tickers mentioned in this story
Unchecking box will stop auto data updates
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter