Marriott International said Friday that 5.25 million unencrypted passport numbers were stolen as part of a data breach it disclosed in November — but it also walked back the total number of people affected.
Among the information involved in the potential theft, the passport numbers and travel itineraries represent a potential espionage bonanza, a breach made more troubling since China has been seen as the likely origin of the cyberattack.
“Compromise of those passports is historic — 5.25 million individuals are essentially exposed to cybercrime and economic espionage," Tom Kellermann, chief cybersecurity officer at Carbon Black, a Massachusetts-based cybersecurity firm, said. "The Chinese can now track individuals as they travel and leverage physical and cyber assets to spy on them.”
Paired with other sensitive data and intelligence, the passport numbers, potentially as well as compromised arrival, departure and reservation date information, could allow hostile nation states to track the movements of key government and business executives, revealing their activities and intentions, or they could be used to recruit and coerce sources, intelligence and cybersecurity experts told NBC News.
“A passport number serves as a unique identifier and is required when entering and exiting international borders, as well as checking into hotels while traveling abroad,” Jon Condra, director of Asia Pacific research at the threat intelligence firm Flashpoint, said in an email. “Knowledge of this number would in theory aid Chinese intelligence efforts at tracking and establishing surveillance upon high value targets during travel.”
Even if the passport numbers are reissued, they could still be used to predict future travel by correlating them with past records, he said.
The company didn't offer clues to the identity of the attackers in its latest update.
“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott,” Arne Sorenson, Marriott’s president and chief executive officer, said in a statement.
The company had initially said the hack compromised the data of up to 500 million guests but downgraded that to a maximum of 383 million guests. It said that number could fall further as the company identified duplicate customer records.
The revised figure still puts the breach among the largest ever reported, ahead of the credit-reporting agency Equifax's loss of nearly 150 million customers' data in 2017.
There were also nearly 20 million encrypted passport numbers involved in the intrusion, Marriott said, but there was no sign the attackers had stolen the master key needed to decode them back into numbers from scrambled text.
“It boggles the mind,” Mark Weatherford, former deputy undersecretary for cybersecurity at the Department of Homeland Security, said in an interview. “Why was 20 percent of their sensitive passport data unencrypted?”
“This is not simply credit card information that is easily changed,” Weatherford said. “This is incredibly sensitive and personal identification information that can be abused.”
Marriott also disclosed that the attack involved data on 8.6 million encrypted credit cards, of which all but 354,000 were expired. However, it said that fewer than 2,000 unencrypted card numbers still may have been swiped.
The company established a website — info.starwoodhotels.com — for concerned customers to visit for updates and is staffing a call center to answer questions.
It's unusual for the perpetrator of a cyberattack conducted by nation state actors to be swiftly identified, if ever, but Secretary of State Mike Pompeo seemed to attribute the attack to the Chinese actors last month on Fox News. As he touched on Chinese espionage and influence operations in the U.S., a host offered that the latest instance was the Marriott breach. "That's right," replied Pompeo.
Prompted by Pompeo's remark, members of the Senate Intelligence Committee requested a briefing from U.S. intelligence agencies about the Marriott intrusion, according to a Hill source familiar with the matter who was not authorized to speak publicly.
"The lines between the physical world and cyberspace are blurring as we see signals intelligence gathering and human intelligence gathering merging," said Kellerman of Carbon Black.
"This breach is the tipping point that the new Congress may use to mandate federal data breach reporting.”