The massive data breach of guest information at Marriott-owned Starwood Hotels & Resorts properties revealed by Marriott International at the end of November 2018 has grown in its severity, with the passport numbers of more than 5 million guests compromised, according to The New York Times.

Marriott conceded the passport numbers were lost to hackers because they were not encrypted.

In December 2018, The New York Times reported that the Marriott data breach at Starwood properties was part of a Chinese intelligence gathering campaign that began in 2014. The cyber breach, which was revealed to consumers at the end of November 2018, was originally estimated to have compromised the information of more than 500 million guests of Marriott-owned Starwood Hotels & Resorts.

[Related Content: Marriott Data Breach – Protect Your Meeting Attendees]

Marriott International issued a news release after the latest passport number breach news was revealed. The release stated that the hotel company believes the total number of guests affected is lower than the original 500 million it had originally estimated. However, Marriott said it “believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party.”

The revised number still represents the largest such cyberattack data loss in history.

“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” said Arne Sorenson, Marriott president and CEO, in the written statement released on January 4, 2018. “As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”

The news release also stated that the information that was accessed includes approximately 20.3 million encrypted passport numbers, but that there was no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.

[Related Content: 2018 Year in Review – Cybersecurity and Data Breaches]

Marriott added it believes that approximately 8.6 million encrypted payment cards were involved in the incident, and of that number, 354,000 payment cards were expired as of September 2018.

The chain said that there was no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers.

The company phased out the Starwood reservations database at the end of 2018, it said, with all reservations now being handled through the Marriott system.

Marriott set up a dedicated website and call center to answer any questions about the incident.

An updated list of frequently asked questions and answers is available at and web-monitoring services are available free of charge for one year by accessing and clicking on “Free Identity Monitoring.”

Marriott-owned Starwood brands include the following properties: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Starwood-branded timeshare properties (Sheraton Vacation Club, Westin Vacation Club, The Luxury Collection Residence Club, St. Regis Residence Club, and Vistana) are also included.

[Read This Next: Cybersecurity Musts for Meeting Planners]