Breaking News Emails
Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
Nov. 30, 2018 / 11:44 AM GMT / Updated 12:35 PM GMT
By Erik Ortiz
Marriott International said Friday that up to 500 million guests’ information may have been accessed as part of a breach of its Starwood guest reservation database, potentially one of the largest breaches of consumer data ever.
The world’s largest hotel chain said it first received an alert in September from an internal security tool of an attempt to access the database. As part of an investigation, the company discovered there had been unauthorized access since 2014 and that an “unauthorized party” had copied and encrypted information.
Marriott said it determined on Nov. 19 that the information was from its Starwood database.
“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property,” the company said in a statement.
For about 327 million of the guests, it added, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
There are some customers who may have also had their credit card information taken. While that data would have been encrypted, Marriott said it can’t rule out the information may have been decoded.
Marriott said it had taken steps to address the breach and is working with authorities. The company said that the “unauthorized party” was able to copy and encrypt some information within its system “and took steps toward removing it,” but did not detail how much data had actually been removed.
The company has set up a website for any consumers who worry that their information may have been part of the breach and will be notifying customers by email. Marriott will also provide guests with one year of WebWatcher, a digital security service.
“We deeply regret this incident happened,” Marriott President and CEO Arne Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The breach could potentially be one of the largest in history, behind the hacking of about 3 billion Yahoo accounts. Earlier this year, Under Armour said that data from about 150 million MyFitnessPal diet and fitness app accounts was compromised.
Marriott, based in Bethesda, Maryland, bought Starwood Hotels & Resorts Worldwide for $13 billion in 2016, creating the largest hotel chain in the world and adding Starwood’s Sheraton, St. Regis, Westin and W properties to its collection.
Marriott at the time cited Starwood’s guest loyalty program as a “central, strategic rationale” for the deal, given that Starwood’s customers are typically higher income and travel more frequently.
The company also revealed the breach in a filing with the Securities and Exchange Commission, saying it did not expect the breach to hurt its business.
“The Company does not believe this incident will impact its long-term financial health,” Marriott said in the filing.
Marriott shares were down about 4 percent in pre-market trading on Friday morning.
