After a few months of careful investigation, the Marriott hotel chain reduced the number of users affected by data leakage that occurred on hotel servers in November. While the initial number of affected clients disclosed was 500 million, after the investigations the hotel believes that the hackers had access to data of “only” 383 million guests.
Even with the decline in numbers, the incident is still the biggest personal data leak in history, far exceeding that of Equifax, which in 2017 revealed data for 147.7 million people in the United States, as well as technology companies such as Facebook, whose data leaks have affected some millions of users around the world.
In November, hackers invaded the hotel’s reservation server, stealing information such as name, address, phone numbers, credit cards and passport from more than 300 million network customers.
Hackers were able to gain access to the Starwood Group’s reservation server, which was acquired by Marriott in 2016. The invasion enabled the stealing of data from customers who, since 2014, have stayed at Sheraton Hotels, W Hotels, Le Meridien, Four Points by Sheraton , Aloft and St Regis.
According to the hotel, around 5.25 million passport numbers were stolen, and the intruders also had access to encrypted files containing over 20 million passports, but the hotel guarantees that no one had access to the code needed to decrypt those files . The network also claims that around 8.6 million credit card numbers have been stolen, but it does not yet know how many of those files were protected by encryption.
It is also unclear who is behind the hotel server invasion, but Reuters, the Washington Post and the New York Times say investigators believe China is involved in the attack, and the same thing was affirmed by Mike Pompeo, Secretary of State of the United States, in an interview for the program Fox and Friends.
For now, Marriott is offering to pay for the new passports of any of its customers who prove it was a victim of fraud, and if it pays for all stolen passports, that would mean a loss of more than $ 500 million for the hotel . The case is also being used by Sen. Ron Wyden to speed up the Consumer Data Protection Act, which gives the court the power to arrest CEOs of companies that lie about the methods used to protect the privacy of their customers ‘and users’ data.