Marriott now says 5 million unencrypted passport numbers were stolen in Starwood hotel data breach

Starwood’s data breach just got both better and worse at the same time.

Marriott, which owns hotel chain giant Starwood, said it has revised the number of customers affected by its recently disclosed data breach from 500 million to “fewer than 383 million unique guests.” That doesn’t mean all those 383 million guests are affected, Marriott said, but the hotel giant still can’t yet give a more precise number of customers whose data was stolen.

The bad news is that the company confirmed that more than five million unencrypted passport numbers were stolen, on top of the more than 20 million encrypted passport numbers.

That might be a problem, given passport numbers can be used for identity theft and to commit fraud, but is the sort of data that remains highly valuable for spy agencies that can use the information to track down where government officials, diplomats and adversaries have stayed — giving insight into what would ordinarily be clandestine activities.

Marriott also said that 8.6 million unique payment card numbers were taken, but only 354,000 cards were active and unexpired at the time of the breach in September.

The hotel giant said it had “no evidence” to show that the hackers stole the keys needed to decrypt the data, but did not say how it came to that conclusion.

Starwood’s security lapse became the largest data breach last year, and remains one of the most damaging hacking incidents in recent memory. The company said the contents of the stolen data were from the Starwood guest reservation database, which it acquired when it bought Starwood and its 1,200 properties in 2016 for $13 billion.

Marriott said in its Friday update that it has “completed the phase out” of Starwood’s reservation database and now runs guest bookings through its Marriott database, which was not affected by the breach.