In an update today to its November 30 disclosure, Marriott now says the (allegedly Chinese) miscreants who broke into its Starwood guest database made off with a total of 5.25 million unencrypted passport numbers and 20.3 million encrypted numbers.
While the passport numbers would be considered sensitive personal information that should not be made public, the numbers and names of guests alone would not be enough for a criminal to create a forged passport. Still, Marriott will be covering the cost for anyone who has had to get a new passport as a result of the data theft.
In addition to the passport numbers, Marriott says the criminals made off with 8.6 million encrypted payment card numbers. While there would be the chance for fraud should those numbers be decrypted, most would be useless by now as, according to Marriott, all but 354,000 of the lifted numbers were expired by September 2018, which was when the heist was discovered. On the other hand, the hackers were in Marriott’s systems from 2014 to that date, so many of those cards were likely active during the database infiltration, we reckon.