When news broke that passport and credit card numbers had leaked from Starwood’s reservations database in November 2018, early indications suggested over 500 million guests’ data had been exposed.
Following an investigation, Marriott believes that 383 million records is the upper limit for the total number of records stolen. It is important to note that this is not 383 million unique guests' information, but rather the records for 383 million stays as many guests have repeated stays.
Of that stolen data, over 25.5 million passport numbers were accessed. Information for approximately 8.6 million encrypted payment cards was involved in the incident, but there is no evidence that the thief accessed the required components to decrypt the information.
As a result of the data breach, Marriott has completely phased out the Starwood reservations database. All the company’s reservations now run through the Marriott system.
Marriott has said it will continue to analyse and investigate the situation.