Marriott has downsized its original estimate on a major data breach, but the number of people affected is still historic.
The hotel group announced Friday that it now believes hackers accessed the records of up to 383 million guests, following an investigation it conducted with a forensics and analytics team. In November, it had reported an estimate of as many as 500 million guests.
Hackers look for poor protection that they can bypass to steal valuable details like Social Security numbers, birth dates, email addresses and credit card numbers.
Watch this: Biggest hacks of 2018
In November, Marriott announced that hackers compromised the reservation database for its Starwood division, which the hotel group acquired in 2016. The Starwood group, which includes hotel lines like Sheraton, W Hotels, Westin, Le Meridien, Four Points by Sheraton, Aloft and St. Regis, had been hacked since 2014, Marriott said.
"We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened," Arne Sorenson, Marriott's president, said in a statement.
Passport numbers swiped
The stolen data in Marriott's breach included names, addresses, phone numbers, credit card information, emails, passport numbers and travel details.
The company announced that about 5.25 million unencrypted passport numbers were stolen in the hack, while another 20.3 million encrypted passport numbers were taken. "There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers," the company said in its statement.
Marriott has offered to pay for new passports if affected guests can prove they were victims of fraud. That could cost the company up to $577 million.
There were about 8.6 million encrypted credit card numbers stolen in the breach as well, Marriott said. It's still investigating how many stolen payment card numbers were not encrypted.
The Department of Justice and the Department of State declined to back up his remarks.
Lawmakers have called for companies to improve their cybersecurity, and Sen. Ron Wyden has introduced a Consumer Data Protection Act that, among other things, could lead to jail time for CEOs who've been found to have lied about data protection efforts.