Marriott said for the first time that 5.25 million passport numbers were kept in the Starwood system in plain, unencrypted data files — meaning they were easily read by anyone inside the reservation system. An additional 20.3 million passport numbers were kept in encrypted files, which would require a master encryption key to read. “There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” Marriott said in a statement. It was not immediately clear why some numbers were encrypted and others were not — other than that hotels in each country, and sometimes each property, had different protocols for handling the passport information. Marriott has said it would pay for a new passport for anyone whose passport information, hacked from their systems, was found to be involved in a fraud.

Source: New York Times January 04, 2019 13:55 UTC