Marriott is investigating following a massive data breach involving its Starwood guest reservation database.
According to the global hotel chain, on November 19, 2018, an investigation determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.
On that day, Marriott said it had received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the US.
It then learned that that there had been unauthorized access to the Starwood network since 2014.
“The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it,” said the company.
Marriott said that it has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.
For approximately 327 million of these guests, the information compromised includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For others, the information also includes payment card numbers and payment card expiration dates. As for the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.
Marriott has since reported this incident to law enforcement and continues to support their investigation.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s President and Chief Executive Officer. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The hotel has begun sending emails on a rolling basis starting to affected guests whose email addresses are in the Starwood guest reservation database.
Starwood brands that may have been affected include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotel.