Hospitality giant Marriott International has admitted that its systems were not encrypted before the 2018 data breach. The revelation came to light during an April hearing for a case involving customers who sued the hotel chain, according to CSO Online.

In 2018, Marriott International suffered a significant data breach that affected millions of its guests. Lasting for approximately four years, the breach exposed a range of personal and sensitive data, including names, addresses, phone numbers, email addresses, passport numbers, and payment card information. The breach originated in 2014, before Marriott's acquisition of Starwood Hotels and Resorts Worldwide two years later. Quietly seeping data for over four years, the breach remained undetected until 2018. To make matters worse, the company disclosed yet another data breach in 2020, impacting approximately 5.2 million guests.

Marriott acknowledged that it utilized the Secure Hash Algorithm 1 (SHA-1), which does not qualify as encryption, instead of the Advanced Encryption Standard 128 (AES-128) it had previously claimed to use.

The judge presiding over the case has ordered Marriott to promptly update its website with this information. However, it was discovered that Marriott made the amendment on a webpage created in 2019 without issuing any alerts to its customers.

“Following an investigation with several leading data security experts, Marriott initially determined that the payment card numbers and certain passport numbers in the database tables involved in the Starwood database security incident that Marriott reported on November 30, 2018 were protected using Advanced Encryption Standard 128 encryption (AES-128),” The notice on Marriott's website reads. “Marriott has now determined that the payment card numbers and some of the passport numbers in those tables were instead protected with a different cryptographic method known as Secure Hash Algorithm 1 (SHA-1).”

This admission raises questions about Marriott's previous defense strategy regarding the 2018 breach, where it argued that the strength of its AES-128 encryption should warrant dismissal of the case. Attorneys for the hotel chain confirmed in the April hearing that AES-128 encryption was never utilized during the time of the breach.

Despite its admission, Marriott has yet to address the critical questions surrounding the matter. Additionally, the hotel giant did not issue a news release nor prominently display the update on its homepage.