More than 500 million customers’ personal information may have been compromised by a data breach, Marriott International announced Friday.
The Bethesda-based firm, the world’s largest hotel chain, said a breach in its Starwood properties guest reservation database had been detected in September. An investigation determined last week that there was an unauthorized breach.
“We deeply regret this incident happened,” Arne Sorenson, Marriott’s president and CEO, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott, which completed its acquisition of Starwood in 2016, learned that unauthorized access to the Starwood network had occurred since 2014 and someone without authorization had copied and encrypted information.
That data includes information of about 500 million guests who made a reservation with a Starwood property. Specifically for 327 million guests, Marriott said the compromised data includes a combination of names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates and communication preferences.
For some of those people, the accessed data also includes payment card numbers and payment card expiration dates. While card numbers were encrypted, Marriott said it has not been able to rule out the possibility that both decryption components needed to see the information were also taken.
The hotel chain has contacted law enforcement and said it has begun to notify regulatory authorities.
Maryland Attorney General Brian E. Frosh said he would take a “hard look” at Marriott’s actions.
“The Marriott data breach is one of the largest and most alarming we’ve seen,” Frosh said in a statement. “My office will be taking a hard look at Marriott’s actions to understand the circumstances that led to the breach.”
Marriott’s Starwood properties include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. It also includes Starwood-branded timeshare properties.
“Today, Marriott is reaffirming our commitment to our guests around the world,” Sorenson said in his statement. “We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
The firm has created a website and call center for guests. It has also begun emailing notifications, on a rolling basis, to guests whose email addresses are in the affected Starwood database.
Marriott also said it would provide guests one free year of WebWatcher, a personal information monitoring tool.
Maryland will be monitoring how Marriott responded to the breach and worked to protect its guests, Frosh said.
“We will also be working with the company to make sure all customers who may have been impacted are notified and provided the resources to protect their personal information,” Frosh said in a statement. “We will be closely monitoring the company’s response to ensure that consumers are protected while we continue to investigate the data breach.”