"As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers' concerns and meet the standard of excellence our customers deserve and expect from Marriott", said Marriott Chief Executive Arne Sorenson.
Reservations at all its Starwood properties - which include the Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly in London - were affected.
In November, Marriott revealed that it had experienced a security breach on its Starwood reservation system, potentially leaving information about 500 million guests exposed. Marriott officials said the company is in the process of setting up a resource to allow customers to check whether their passport number was part of the breach. Hackers spent roughly four years inside Starwood's networks, the company announced November 30. In some cases, customers' payment card information, birthdates, and passport numbers. The company also noted that while 383 million is the upper limit of records that may have been compromised, that doesn't mean all 383 million records and guests definitely had their passport numbers or payment information compromised. Because the system, it said, occasionally generates multiple records for a single guest, what the company really disclosed on Friday is that, as of right now, it basically has no idea how many people have actually been affected.
The hotel chain said 8.6 million unique payment card numbers, all of which were encrypted, were also involved. There is no evidence at this time that the hacker was able to access the master decryption key for the encrypted numbers. Regardless, Marriott says there isn't any evidence that the hackers acquired the tools needed to decrypted the card info.
While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to determine whether payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott said there's a chance that "a small number (fewer than 2,000)" of unencrypted payment card numbers were also exposed, but it's still investigating.
The company said on Friday it is putting together a system for guests to check whether their passport information has been compromised. Marriott already created a dedicated website and call center about the data base hack. Marriott is offering affected customers one year of free identity monitoring services. The company also operates award-winning loyalty programs: Marriott Rewards®, which includes The Ritz-Carlton Rewards®, and Starwood Preferred Guest®.