Data belonging to up to 500 million Marriott guests may have been compromised, the company has said, following a breach of its Starwood guest reservation database.
An initial investigation, said Marriott, revealed there had been unauthorised access to the Starwood network since 2014 and that an “unauthorised party” had copied and encrypted information.
Marriott said it was finally able to decrypt this information on November 19 and learned the contents was from its Starwood systems.
In a statement issued on Friday (November 30), the company said the duplicate information contained data relating to around 500 million guests who made reservations at Starwood properties.
For approximately 327 million of these guests, their information included a combination of: name; mailing address; phone number; email address; passport number; Starwood Preferred Guest account information; date of birth; gender; arrival and departure information; reservation date; and communication preferences.
For some, this information also included payment card numbers and payment card expiration dates. Marriott has said payment card numbers were encrypted.
However, it further stated: “There are two components needed to decrypt the payment card numbers. At this point, Marriott has not been able to rule out the possibility that both were taken.”
“We deeply regret this incident happened,” said Arne Sorenson, Marriott president and chief executive officer. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”