Marriott International Inc said on Friday that fewer than 383 million customer records were stolen in a massive cyber attack disclosed last month, down from its initial estimate that up to 500 million guests were affected.

The hotel operator also said that some 25.55 million passport numbers were stolen in the attack on the Starwood Hotels reservation system, 5.25 million of which were stored in plain text. Another 8.6 million encrypted payment cards were also taken in the attack, it said.

Marriott previously confirmed that passport numbers and payment cards were taken, but not said how many.

The company disclosed on Nov. 30 that it had discovered its Starwood hotels reservation database had been hacked over a four-year period in one of the largest breaches in history. At least five U.S. states and the UK’s Information Commissioner’s Office are investigating the attack.

Marriott also said that it had completed an effort to phase out the Starwood reservations database that it acquired in September 2016 with its $13.6 billion purchase of Starwood. The hack began in 2014, a year before Marriott offered to buy Starwood.