Marriott, the world’s largest hotel company, disclosed in November that a hack in the reservation database for its Starwood properties may have exposed the personal information of up to 500 million guests.
The incident marked one of the largest data breaches in history, rivaled only by a hack of Yahoo Inc. in 2013 and 2014.
The company said early Friday in a release that the number of guests involved in the data breach is lower than the original 500 million, but it didn’t specify a number.
Marriott said a total of about 383 million records was “the upper limit” for the number potentially compromised in the incident. That figure includes passport numbers, email addresses and payment-card data of some guests, the company said.
Marriott said that in many instances, there appear to be multiple records for the same guest, meaning that it is unlikely 383 million people were affected.
“The company is not able to quantify that lower number because of the nature of the data in the database,” the company said in its release.
The Federal Bureau of Investigation is leading an investigation into the Marriott hack. U.S. officials familiar with the probe as well as independent cybersecurity researchers have said they increasingly view China as the leading suspect in the breach, due to a variety of forensic clues and Beijing’s history of pilfering large American data sets for intelligence purposes.
A Marriott spokeswoman declined to comment on possible suspects in the breach and said the company is working with authorities. The company gave no further guidance on who may have been behind the hack.
“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott,” Arne Sorenson, Marriott’s president and chief executive officer, said in a statement.
Marriott has more than 6,700 properties world-wide, including its Starwood brands, which account for about a third of the company’s total collection. Those brands include Sheraton, W Hotels, Westin, Le Méridien, Four Points by Sheraton and Aloft.
Marriott said more than 5 million unencrypted passport numbers were included in the information accessed by hackers, and about 20 million encrypted passport numbers. Encrypted data is scrambled into a code, making it harder for outsiders to access information.
The compromise of passport information in the Marriott breach would have been especially valuable to foreign spy agencies in China or elsewhere, former and current U.S. officials said, because it would allow them to track the international travel of government officials and business executives and could be paired with other sensitive information to compile detailed dossiers on certain individuals.
The data breach also affected about 8.6 million encrypted payment cards. Of that number, Marriott said 354,000 were active as of September 2018. The company said it hasn’t found evidence that the hackers were able to “decrypt” the payment card numbers.
The company also said fewer than 2,000 payment card numbers may have been unencrypted and it is “undertaking additional analysis” to uncover more information.
China has routinely denied allegations from the U.S. and other countries that it is responsible for cyberattacks against governments or private companies.
Investigations into data breaches typically take several months at least, and the government often doesn’t publicly attribute a hack to a foreign adversary until years later, if at all.
Secretary of State Mike Pompeo last month appeared to publicly implicate China in the hack during a live television interview on Fox News. While discussing Beijing’s espionage in the U.S., a host interjected that the latest example was Marriott, to which Mr. Pompeo replied, “That’s right.”
Alarmed by Mr. Pompeo’s remark, lawmakers on the Senate Intelligence Committee requested a briefing from U.S. intelligence agencies about the Marriott intrusion, according to a U.S. official familiar with the matter.