A security breach inside Marriott's worldwide hotel empire has compromised the information of as many as 500 million guests, exposing in some cases credit card numbers, passport numbers and birthdates, the company said Friday.
Alarming security analysts, Marriott said that unauthorized access to data at former Starwood hotels and that company's reservation system has been taking place since 2014.
It may be among the largest data breaches on record. Last year's alarming Equifax hack affected more than 145 million people.
The affected hotel brands operated by Starwood before it was acquired by Marriott in 2016, include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood branded timeshare properties are also included.
None of the Marriott-branded chains are threatened.
The company said credit card numbers and expiration dates of some guests may have been taken. For as many as two-thirds of those affected, data exposed could include mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.
"We fell short of what our guests deserve and what we expect of ourselves," CEO Arne Sorenson said in a prepared statement. "We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
Email notifications for those who may have been affected begin rolling out Friday.
Marriott said an internal security tool signaled a potential breach on Sept. 8. The company learned during an investigation that its Starwood guest reservation database had "unauthorized" access since 2014. It also discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On Nov. 19., Marriott was able to decrypt the information and determined that the exposed contents were from the Starwood guest reservation database, which had guest information related to reservations at Starwood properties on or before Sept. 10.
While the breach affected "approximately 500 million guests" who made a reservation at a Starwood hotel, some of those records could belong to people who had multiple stays. Marriott spokesman Jeff Flaherty said Friday morning the company has not finished identifying duplicate information in the database.
Marriott has set up a website and call center (USA: 877-273-9481) for anyone who thinks that they are at risk and to answer questions about the breach. The company is also offering affected guests with one year of free WebWatcher, a digital security service.
While the first impulse for those potentially affected by the breach could be to check credit cards, security experts say other information in the database could be more damaging.
"The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted," said analyst Ted Rossman of CreditCards.com. "People should be concerned that criminals could use this info to open fraudulent accounts in their names."
The former Starwood brands now under Marriott also include Tribute Portfolio and Design Hotels. In all, the company manages more than 6,700 properties across the globe.
When the two companies announced their merger in November 2015, Marriott had 54 million members of its loyalty program and Starwood had 21 million. Many people were members in both programs.
Marriott has had a rocky process of merging its computer system with Starwood computers. Members of both loyalty programs have complained about missing points, glitches with stays crediting to their accounts and problems with free nights earned from credit cards not appearing.
Sorenson said that Marriott is still trying to phase out Starwood systems.
Marriott, based in Bethesda, Maryland, said in a regulatory filing that it's premature to estimate what financial impact the data breach will have on the company. It noted that it does have cyber insurance, and is working with its insurance carriers to assess coverage.
The Starwood breach stands out among even the largest security hacks on record. Hilton had two separate data breaches that exposed more than 350,000 credit card numbers. One breach began in November 2014 and another in April 2015. Yahoo had a data breaches in 2013 and 2014 that impacted about 3 billion of its accounts. Target also had an incident in 2013 that affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. Last year, Equifax disclosed a data breach that affected more than 145 million people.
The reaction to the breach was swift Friday.
The New York Attorney General opened an investigation. Virginia Sen. Mark Warner, co-founder of the Senate cybersecurity caucus and the top Democrat on the Senate intelligence committee, said that the U.S. needs laws that will limit the data companies can collect on its customers.
"It is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses," Warner said in a prepared statement.
Shares of Marriott tumbled 5 percent at the opening bell.