That would make somewhat more sense.
If the 500 million number is correct, given there are 339,000 Starwood hotel rooms available, for there to be 500 million unique guests would mean that every Starwood hotel room would have to be booked every single day, and every visitor is a unique visitor who stayed one day. (That would bring us to about 495 million unique visitors.)
Now, does that pass the sniff test? Of course not!
Naw, you’re overthinking this.
500M is likely a rounded number giving the high range of what they may have lost. However, while reporting this they also don’t want to inadvertently give put other info such as occupancy rates, unique visitors, etc, so they probably just did my calculation “Uh, if we lost 4 years of daily data and we have 135k rooms… you’re telling me up to a half a billion records were hacked?”
If you want to come up with a reasonable upper bound, you can take the occupancy rate and average length of stay in mind. Looks like numbers generally flout around 65%, but I found Sheraton’s occupancy rate is 73%. So let’s be generous and use the higher number. Resort hotels also tend to have longer lengths of stay. But let’s be generous and pretend it’s only 2 days. So, 339,000 * (4*365.25) * 0.73 / 2, gives us 180 million as a generous upper bound of unique visitors, assuming each guest only stays two days, and no guest repeat their stays in a four-year period.
:dubious: 7.5% of 325,000,000 is about 24.3 million, in four years that would be just under 100 million. I don’t know where you got 172 million people from.
If you read the quotes more closely, you’ll see that it says “as many as 500 million”. That’s just the upper limit. Based on that, I’d say that JohnT is prolly correct: they got every room’s daily record.
I don’t think I’m overthinking at all. I think I’m just thinking. When I heard that number on the radio this morning, the first thing I thought was, there is no way in hell that number can possibly be correct. And it very obviously isn’t. Now, do note that it does weasel with “as many as,” but to me the number looks an order of magnitude off, or close to it.
Las vegas has 42.9 million visitors per year, not 24.3 million; I rounded up to 43 million.
Like I said, THAT makes sense.
Mostly the problem is contractors being paid to secure “90%” of the network. And I say this as a contractor.
“500 million guests” is laughably wrong. It can’t even be 500 million check-outs. Probably either every transaction, such as taking a Coke from the minibar, that’s a transaction, or just the sum of all the rows in all the tables that got hacked.
Maybe restaurant and bar transactions are in there too. We just don’t know a lot yet. Dunno if we ever will know that much.