In an update on a recent cyber-attack on the company, Marriott has said up to 383 million customers may have been impacted.
The number is down from an earlier estimate of 500 million travellers.
However, the hotel giant for the first time conceded that its Starwood hotel unit did not encrypt the passport numbers for roughly five million guests.
Those passport numbers were lost in the attack.
While there has been no confirmation from Marriott, many outside experts believe the attack was carried out by Chinese intelligence agencies.
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened,” said Arne Sorenson, Marriott president.
“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
The number of payment cards and passport numbers involved is a relatively small percentage of the overall total records involved, Marriott added.
The new figures, however, do not mean that information on 383 million unique guests was involved, as in many instances, there appear to be multiple records for the same guest, Marriott was keen to stress.
The company has concluded with a “fair degree of certainty” that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database.
The information accessed also includes approximately 20.3 million encrypted passport numbers.
“There is no evidence that the unauthorised third party accessed the master encryption key needed to decrypt the encrypted passport numbers,” the company added in the update.