Marriott revealed on Friday that the personal information of up to 500 million customers has been stolen as part of a breach of one of its guest reservation systems.
The hotel chain said the hack specifically affected its Starwood reservation database — a group of hotels it purchased for $13 billion in 2016, including the Sheraton, St. Regis, Westin and W hotels.
Marriott said in a statement that it was first alerted to the hack on Sept. 8 from an internal security tool and “quickly engaged leading security experts to help determine what occurred.”
On Nov. 19, Marriott determined the stolen information was from its Starwood database and that the breach dated back years.
“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014,” the statement continued. “The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”
For an estimated 327 million Starwood guests, the exposed information includes their names, phone numbers, email addresses, genders, passport numbers, date of birth and arrival and departure of information. For others, it also includes payment information and card expiration dates while some only had their name and mailing address leaked.
Marriott, the largest hotel in the world, also warned its customers that it can’t determine whether that hackers managed to gain access to and decrypt credit card numbers.
“We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center,” said Arne Sorenson, Marriott’s President and Chief Executive Officer.
“We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”