News

Marriott says data breach may have compromised 500M guests' information

If you’ve stayed at a Marriott company hotel over the past few months, you will want to keep an eye on your personal information.

Marriott Hotels announced Friday morning they discovered a massive data breach on its guest database which may have compromised nearly 500 million guests' information.

About 327 million guests had a combination of name, mailing address, phone number, email, passport number, Starwood Preferred Guest information, birthday and gender accessed by the hackers, Reuters reported.

The New York Attorney General has opened an investigation into the Marriott data breach.

Massachusetts' Attorney General Maura Healey announced later on Friday she's joining the New York AG in investigating the breach.

Marriott acquired Starwood in 2016 and the process of merging its computer system with Starwood computers has been marred by technical glitches.

The world's largest hotel chain says an unauthorized party accessed their database as far back as 2014, stealing everything from credit card numbers to mailing addresses for some people.

For others, passport information may also have been compromised.

In a statement, the company said, "For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

Marriott said in the release they have reported the incident to law enforcement.

The leak impacts customers who made reservations at a Starwood property.

If you made a reservation on or before Sept. 10, 2018 at a Starwood property, your information may be at risk.

Marriott says it first learned of the hack three months ago on Sept. 8.

Online, the firm said that Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

“We deeply regret that this incident happened,” said Arne Sorenson, Marriott’s President. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

“We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center," Sorenson continued. “We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

Beginning today, the company said they will be contacting the affected guests whose email addresses were in the Starwood guest reservation database.

"We fell short of what our guests deserve and what we expect of ourselves," CEO Arne Sorenson said in a prepared statement. "We are doing everything we can to support our guests, and using lessons learned to be better moving forward."

While the breach affected "approximately 500 million guests" who made a reservation at a Starwood hotel, some of those records could include a single person who booked multiple stays.

The company manages more than 6,700 properties across the globe.

While the first impulse for those potentially affected by the breach could be to check credit cards, security experts say other information in the database could be more damaging.

"The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted," said analyst Ted Rossman of CreditCards.com. "People should be concerned that criminals could use this info to open fraudulent accounts in their names."

When the merger was announced in 2015, Marriott had 54 million members of its loyalty program and Starwood had 21 million. Many people were members in both programs.

Asked for more details on the 500 million number, Marriott spokesman Jeff Flaherty said Friday that the company has not finished identifying duplicate information in the database.

An internal security tool signaled a potential breach in early September, but the company was unable to decrypt the information that would define what data had potentially been exposed until last week.

Marriott, based in Bethesda, Maryland, said in a regulatory filing that it's premature to estimate what financial impact the data breach will have on the company. It noted that it does have cyber insurance, and is working with its insurance carriers to assess coverage.

The Starwood breach stands out among even the largest security hacks on record. Hilton had two separate data breaches that exposed more than 350,000 credit card numbers. One breach began in November 2014 and another in April 2015. Yahoo had a data breaches in 2013 and 2014 that impacted about 3 billion of its accounts. Target also had an incident in 2013 that affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. Last year, Equifax disclosed a data breach that affected more than 145 million people.

The former Starwood brands now under the Marriott umbrella include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.

Marriott has had a rocky process of merging its computer system with Starwood computers. Members of both loyalty programs have complained about missing points, glitches with stays crediting to their accounts and problems with free nights earned from credit cards not appearing.

Sorenson said that Marriott is still trying to phase out Starwood systems.

Marriott has set up a website and call center for anyone who thinks that they are at risk.

Shares of Marriott tumbled 5 percent at the opening bell.

MORE: Marriott hotel workers on strike reach tentative agreement over wages

The Associated Press contributed to this report