As many as 500 million people who made reservations at Starwood properties over the last four year may have had their personal information accessed in a security breach, Marriott announced Friday morning.
The hotel chain said the hack involved the Starwood guest reservation database, which contained information on reservations made on or before Sept. 10, 2018. The group of hotels includes the St. Regis, Westin, Sheraton and W Hotels.
Jason Middleton, host of Techonomics, says hackers were able to gain access to the personal information of approximately 327 million guests.
"The information included some combination of name, mailing address, phone number, email address, passport number, account information, date of birth, gender, arrival and departure information, and of course credit cards," Middleton said.
While some of the data point were encrypted, "Marriott says they can't tell if [the hackers] got the encryption codes," said Middleton.
Marriott was alerted to the possible breach on Sept. 8 after an internal security tool alerted them to hackers attempting to access the Starwood database in the United States. The hotelier enlisted security experts to assess the breach and investigate the source. During the course of the investigation, they learned hackers had been gaining unauthorized access to Starwood's database since 2014.
Marriott says they recently discovered that "an unauthorized party" had copied and encrypted guest information and took steps to remove it. When the hotel chain was able to decrypt the information they determined that the contents were from the Starwood guest reservation database.
Of the remaining guests whose information was accessed, hackers were only able to gain names and occasionally other data, such as email addresses, mailing address, or other information.
"We deeply regret this incident happened,” said Marriott President and CEO Arne Sorenson said in a statement. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
Following a 2016 merger of Starwood Hotels and Resorts, worth $13 billion, Marriott became the largest hotel chain in the world, with more than 6,700 hotels open around the world.
Marriott wrote that they will contact the affected customers whose email addresses are in their database. The hotel chain says they will provide online account monitoring software to those affected by the breach for one year. The service, WebWatcher reimburses fraud loss of up to $1 million and customers in the U.S. are eligible for fraud consultation services and reimbursement coverage.
Customers affected by the breach can enroll in WebWatcher and get additional information about the breach at answers.kroll.com.
As customers turn over more and more personal information to companies, data breaches like this have become common. In 2013, Yahoo! was hacked, with a breach that affected as many as 3 billion accounts. A subsequent data breach at Yahoo! hit another 500 million accounts.
Facebook revealed in October this year, that 30 million users on the online social platform had their personal data accessed.
Photo: Getty Images