Marriott servers (not pictured) are now handling all group bookings following the Starwood phase-out.

A new “upper limit” of 383 million customer records has been outlined by Marriott International as having potentially been involved in its recent data security breach announced late last year.

In an update to its customer database provided yesterday, the world’s largest hotel group said that by working closely with internal and external data forensics and analytic investigations teams, the total number of guest records which may have been impacted is less than initially estimated.

Further, the company said the number of payment cards and passport numbers potentially compromised is a “relatively small percentage” of the records involved. While the new upper limit was set at 383 million, Marriott said it “has concluded with a fair degree of certainty” that fewer unique guests were involved, with many individual guests likely holding multiple separate or duplicate records within the system.

As of the end of 2018, Marriott added that room reservations were no longer possible through the Starwood systems, with all data transferred to the main Marriott system following an extensive post-merger integration project.

Detailed analysis by Marriott has revealed that details of around 8.6 million encrypted payment cards had been involved in the accessed data, however only 354,000 of these were unexpired as of September 2018.

Marriott said that in relation to guest passport information, approximately 5.25 million unencrypted passport numbers were included in the data tranche accessed by the unauthorised party along with a further 20.3 million already encrypted. The company added that there was no evidence that the master key needed to decrypt data from payment cards or passports had been accessed.

Further analysis to determine whether payment information had been inadvertently entered into other unencrypted fields during any online bookings was still being carried out, with only around 2,000 instances of this estimated to have potentially occurred.

Guests suspecting any fraudulent activity to do with their passports can contact Marriott on a dedicated phone line to look up individual numbers involved in this unencrypted set.