The hotel chain said last Friday the hack affects its Starwood’s database, and a group of other hotels the company acquired in 2016, including – St Regis, Westin, Sheraton and WQ Hotels.
Marriott said hackers managed to obtain access to Starwood’s systems, potentially revealing personal details of millions of guests.
After launching an internal investigation, the company found out that the attacker had been able to access Starwood’s network since 2014.
“The company recently discovered that an unauthorised party had copied and encrypted information, and took steps towards removing it,” Marriott said in a statement.
The statement said that Starwood’s network contained information on 500 million customers. For approximately 327 millions of these guests, Marriott says that their customer’s names, phone numbers, email addresses, passport numbers, date of birth and arrival and departure information were exposed to hackers.
The statement also says that customers credit card and bank details were also revealed. Marriott said that they can’t confirm if the hackers were able to decrypt the payment card numbers, but does not rule out the possibility that encryption keys had been stolen.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s President, and Chief Executive Officer. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott said it has informed authorities about the breach and will also begin sending out emails to customers whose records were in the database.
Those who were affected by the breach will also receive a free membership to Web Watcher, a personal information monitoring service. The company has warned guests to monitor their accounts of any suspicious activity and to change their account passwords.
Yahoo data hack
The breach marks one of the biggest data to occur to a corporate business. Yahoo’s 2013 data breach compromised three billion accounts – the largest data breach of all time.
Since the hack involves customers in the European Unions and the United Kingdom, the company could suffer further penalties for potentially violating GDPR’s regulations.
The UK’s data regulator has confirmed that they are currently investigating the situation further.