Marriott says 25 million passport numbers were stolen; 5.25 million were unencrypted

A Marriott hotel in Santa Clara, Calif.
(Paul Sakuma / Associated Press)

Passport numbers of more than 25 million guests at the Starwood chain of hotels were stolen by hackers in November, Marriott announced Friday as the world’s largest hotel company comes to terms with the scope of the data breach.

The Bethesda, Md., company acknowledged for the first time that 5.25 million of those passport numbers were unencrypted — or not coded to prevent unauthorized access. More than 20 million were encrypted. No evidence has yet surfaced that the hackers accessed the master encryption key needed to decrypt those passport numbers.

If the hackers were Chinese intelligence agents, as security experts have suggested, the passport data could be particularly damaging because it would allow a foreign power to identify and track the movements of government and business travelers. China is reported to be assembling a database on individuals that could be useful in cyber warfare.


The breach also included dates of birth and credit card numbers, as well as contact information such as mailing addresses and email addresses.

The incident involved about 383 million records of guests who made a reservation at Starwood properties on or before Sept. 10, 2018, the company said. That’s fewer than the original figure of 500 million guests the company had announced as affected, but it still ranks the breach as one of the largest in history.

A 2013 data breach at Yahoo affected its 3 billion users, exposing names, birth dates, phone numbers and passwords. A 2017 hack at Equifax, the credit reporting giant, involved the Social Security and driver’s license numbers of about 145 million Americans.

Marriott said it had not yet determined how many of the 383 million records are duplicates involving the same guest.

The Starwood brands, which were acquired by Marriott in 2016, include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, the Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Timeshare properties such as Sheraton Vacation Club, Westin Vacation Club, the Luxury Collection Residence Club, St. Regis Residence Club, and Vistana are also part of the chain.

Marriott established a dedicated website ( and call center (1-877-273-9481) to answer questions. Guests may enroll in web monitoring services free of charge for one year.

China has denied it was involved in the hack, which is under investigation by the FBI.

Twitter: @margotroosevelt