The world’s largest hotel company, Marriott International, said on Friday that up to 500 million hotel guests may have had their personal details hacked in a massive four-year-long breach of a reservation database.
Marriott said its Starwood Hotels & Resorts reservation database in the United States had suffered a “data security incident” involving unlawful access stretching back to 2014.
The company said an “unauthorised party had copied and encrypted information and took steps towards removing it.”
In a statement, released on Friday, Marriott said it had not yet finished identifying the information that had been duplicated, but that it is believed to contain details on up to 500 million guests.
Of these, some 327 records included some combination of name, mailing address, phone number, email address, passport number and reservation details.
“For some, the information also includes payment card numbers and payment card expiration dates,” the statement read, adding that it could not rule out that the information needed to decrypt this information was also taken.
Hotels in the Starwood network include Sheraton, Four Points by Sheraton and W Hotels.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and CEO.
“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The breach came to light on September 8 when “an internal security tool” alerted Marriott to an attempt to hack the Starwood database in the US.
During a subsequent investigation, the company learned that the breach had been ongoing since 2014. On November 19, Marriott “was able to decrypt the information and determined that the contents were from the Starwood guest reservation database”.
Marriott values our guests and understands the importance of protecting personal information. For more information on the Starwood guest reservation database security incident, please visit https://t.co/NWd6Dg2oOQ.
— Marriott International (@MarriottIntl) November 30, 2018
Marriott reported the incident to law enforcement and started notifying regulatory authorities.
The company also set up a website and call centre for those who think they may have been affected. On Friday, Marriott will begin sending emails to those identified.
New York Attorney General Barbara Underwood said her office opened an investigation into the incident.
“New Yorkers deserve to know that their personal information will be protected,” Underwood said on Twitter.
Marriott and Starwood merged two years ago and attempts to combine the loyalty programmes have been marred by technical difficulties.
In the company’s Friday statement, Sorensen said the chain would begin to phase out the Starwood systems and devote the necessary resources to “accelerate the ongoing security enhancements to our network”.
Shares of Marriott tumbled six percent before the opening bell on Friday.