Marriott today said that teams of forensic and data analysts had identified “approximately 383 million records as the upper limit” for the total number of guest reservations records lost. The company still says it has no idea who carried out the attack, and it suggested the figure would decline over time as more duplicate records are identified.
What made the Starwood attack different was the presence of passport numbers, which could make it far easier for an intelligence service to track people who cross borders. That is particularly important in this case: In December, The New York Times reported that the attack was part of a Chinese intelligence-gathering effort that, reaching back to 2014, also hacked U.S. health insurers and the Office of Personnel Management, which keeps security clearance files on millions of Americans.
So far, there are no known cases in which stolen passport or credit card information was found in fraudulent transactions. But to cyberattack investigators, that is just another sign that the hacking was conducted by intelligence agencies, not criminals. The agencies would want to use the data for their own purposes — building databases and tracking government or industrial surveillance targets — rather than exploiting the data for economic profit.
Taken together, the attack appeared to be part of a broader effort by China’s Ministry of State Security to compile a huge database of Americans and others with sensitive government or industry positions — including where they worked, the names of their colleagues, foreign contacts and friends, and where they travel.
“Big data is the new wave for counterintelligence,” James A. Lewis, a cybersecurity expert who runs the technology policy program at the Center for Strategic and International Studies in Washington, said last month.
Marriott International said fewer customer records were stolen than initially feared but added that more than 25 million passport numbers were stolen in last month’s cyber attack. The company said today that the biggest hacking of personal information in history was not quite as big as first feared but for the first time conceded that its Starwood hotel unit did not encrypt the passport numbers for roughly 5 million guests. Those passport numbers were lost in an attack that many outside experts believe was carried out by Chinese intelligence agencies.
When the attack was first revealed by Marriott at the end of November, it said information on upward of 500 million guests may have been stolen, all from the reservations database of Starwood, a major hotel chain that Marriot had acquired. But at the time, the company said that the figure was a worst-case scenario because it included millions of duplicate records.