BETHESDA, Md. (AP) — Fewer Marriott guest records than previously feared were compromised in a massive data breach, but the largest hotel chain in the world confirmed Friday that approximately 5.25 million unencrypted passport numbers were accessed.

The compromise of those passport numbers has raised alarms among security experts because of their value to state intelligence agencies.

The FBI is leading the investigation of the data theft and investigators suspect the hackers were working on behalf of the Chinese Ministry of State Security, the rough equivalent of the CIA.

The hackers accessed about 20.3 million encrypted passport numbers. There is no evidence that they were able to use the master encryption key required to gain access to that data.

Unencrypted passport numbers are valuable to state intelligence agencies because they can be used to compile detailed dossiers on people and their international movements.

In the case of China, it would allow that country’s security ministry to add to databases of aggregated information on valued individuals. Those data points include information on people’s health, finances and travel.

“You can identify things in their past that maybe they don’t want known, points of weakness, blackmail, that type of thing,” said Priscilla Moriuchi, an analyst with Recorded Future who specialized in East Asia at the U.S. National Security Agency where she spent 12 years. She left the agency in 2017.

When the Bethesda, Maryland, hotel chain initially disclosed the breach in November, the company said that hackers had been compiling stolen data undetected for four years, including credit card and passport numbers, birthdates, phone numbers and hotel arrival and departure dates.

The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016.

Recommended for you

(0) comments

Welcome to the discussion.

Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
PLEASE TURN OFF YOUR CAPS LOCK.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.