The Marriott breach announced on November 30, 2018, was initially suspected to have compromised the data of nearly 500 million customers, but on Friday the Starwood company updated its database security incident advisory to reflect what it now believes to be a more realistic and slightly smaller number of guests that were impacted.
After weeks of data analysis, the company was able to eliminate duplicate information and formulate a more accurate upper boundary of approximately 383 million records compromised. However, Marriott said in the amendment to its original notice that it believes far fewer than that were actually compromised.
Marriott now believes that “there were approximately 8.6 million unique payment card numbers, all of which were encrypted [and] approximately 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers.”
"We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened," Marriott CEO Arne Sorenson said in a written statement. "As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers' concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
As the lines between the physical world and cyberspace continue to become blurred, Tom Kellermann, chief cybersecurity officer at Carbon Black, said that signals intelligence (SIGNIT) gathering and human intelligence (HUMIT) gathering is merging. “The Chinese have taken a page from the Russian cyber playbook. The Chinese can now track individuals as they travel and leverage physical and cyber assets to spy on them. This breach is the tipping point that the new Congress may use to mandate federal data breach reporting.”
While updating security incident advisories is a mandate of GDPR intended to protect privacy, the customers are not the only ones affected in a major breach. As these nation-state attacks grow more common, a gap between what investors need and what companies disclose about cyber incidents also grows, according to Jake Olcott, VP of communications and government affairs, BitSight.
“While the number of records compromised is a relevant data point, investors need to know the financial impact of an incident,” he said. "What is the estimated financial impact to the brand? The litigation fees? The forensics fees? Does insurance cover these costs? The SEC and the investor community can do more to ensure that the market is receiving material information on this critical issues.”