Marriott Shares New Details on How Bad Their Data Breach Was

Marriott has provided additional information on their massive data breach. We’re supposed to be comforted that it’s ‘only’ 383 million and not 500 million records that were accessed – Skift covers this as “Marriott Says Data Breach Not as Bad as Originally Disclosed” which is pretty priceless.

  • They had said 500 million records had been hacked. Now they say it’s not more than 383 million (this is supposed to be good news). It was never 500 million people but they’re emphasizing the point that many guests have multiple stays and therefore fewer than 383 million people had their data stolen. Marriott isn’t telling us how many people though, which should be concerning in its own right.

  • 5.25 million unencrypted passport numbers were accessed and 20.3 million encrypted passport numbers. “There is no evidence that” the master encryption key was accessed, compromising those 20 million additional passports, but Marriott isn’t saying the encryption key wasn’t accessed. It’s shocking that passport numbers were stored as unencrypted text.

  • There’s going to be a process to look up whether your passport was compromised. Eventually this will be online. And since Marriott wants to remind you that it was the Starwood database (that they’ve been managing) so the lookup tool will be at and not on a domain. Recall of course that Marriott has said they will pay for new passports only for those that are already actual victims of compromised data being used and not ‘merely’ for the 5 million people whose passport numbers were irresponsibly stored and stolen.

  • 8.6 million payment cards were accessed these were encrypted and only 354,000 were unexpired as of September 2018 but of course Marriott previously said the breach had been ongoing prior to that time. In addition “Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted.” They believe the number involved is less than 2000.

  • Don’t worry we no longer use the Starwood reservation database as though this has anything whatsoever to do with the data breach, Marriott has transitioned hotels onto their own property management system as-planned. Of course the Starwood data warehouse is still live – fortunately – because many of us still have issues with our merged loyalty program accounts.

Marriott still hasn’t told us anything about their notes on your as as a customer that were taken.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. Don’t worry – once they get the Bonfire program launch behind them, they can prioritize working on this. Seriously though, this suggests negligence on their behalf. I wonder if they could face GDPR penalties in Europe over this, that would help focus their efforts!

  2. Looking forward to WikiLeaks posting customer comments – ” 5-15 Mr. SonofaB calls monthly to request points from phantom stays, then requests 3,000 Starpoints for the hold time…”

  3. To Marriott: Whatever! You screwed up this merger, and you are still screwing up! I personally do not believe that this has been on-going from 2014. I think it is all a fabrication to make the Marriott merger appear to be all SPG’s fault. Because if this data had been in the “dark web” since 2014, there would have incidents of the data being used illegally. And, there hasn’t been 500,000,000 complaints of compromised data. As far I know, there hasn’t been any.

  4. “Marriott still hasn’t told us anything about their notes on your as as a customer that were taken.”

    What does that mean?

  5. I’m still confused about the Marriott/SPG merger. I want to transfer a bunch of SPG points to an airline. Should I do that BEFORE merging the accounts? Or will Marriott points transfer to airlines, too?

Leave a Reply

Your email address will not be published. Required fields are marked *