TripAdvisor might want to consider adding a “breach” category. Last Friday, Marriott announced that an unauthorized party had gained access to its Starwood guest reservation database, potentially compromising the information of up to 500 million guests.

Those numbers would constitute more than twice the number of people affected by the Equifax breach and fall second only to two separate incidents at Yahoo in terms of extent.

But the incident might wind up being more memorable for nature of the data that was targeted and the patience the intruders apparently displayed in extracting sensitive financial information from the Starwood system.

According to a statement released Friday, the compromised database included financial information like encrypted payment card numbers, identifying information such as birth dates and passport numbers, and personal preferences like a customer's preferred method of communication. The intruder had copied and encrypted data and taken steps toward removing it.

While it's still early in the investigation, Paige Boshell, a managing member at Privacy Counsel LLC, thought it was odd that the bad actor(s) involved took the time to copy and encrypt the data without installing ransomware or seizing the target information posthaste.

“The involvement of payment card data indicates that there might be a financial criminal motive, and that's usually what we see—but it's not entirely clear that it was limited to that because usually, if there's a financial motivation, you take the credit card information and get out,” Boshell said.

On the other hand, Zohar Pinhasi, CEO of the cybersecurity firm MonsterCloud, didn't find that situation to be unusual at all. His business deals regularly with clients who have their personal information stolen and then used as blackmail material by bad actors.

Passwords captured in these kinds of attacks can open the doors to all kinds of embarrassing or sensitive information, since people tend to use the same familiar combination across numerous platforms and accounts. In this case, the Starwood guest reservation database may have represented an attractive starting point because the names inside typically belong to people who can afford to pay a $1,000 bitcoin ransom.

“Social engineering is the name of the game, and the more creative you are with this kind of information, the better chances you have to extract money from victims,” Pinhasi said.

Last Friday's release from Marriott said the company has reported the incident to law enforcement and is continuing to support the investigation. A dedicated website and call center has been established to answer questions, and impacted guests have been granted free enrollment with WebWatcher, a tool that monitors sites where consumer information is shared for a consumer's data.

Boshell said that determining the breadth of the harm done—and whether any data was actually removed from the system—will be crucial to the hotel chain's strategy moving forward.

“If there's not been any harm and Marriott can act to prevent that or help the consumer mitigate that, that could alleviate the repercussions for both Marriott and the consumers,” Boshell said.