US: The records of up to 500 million Marriott International customers have been involved in a data breach.
The company said the guest reservation database of its Starwood division had been compromised by an unauthorised party. An internal investigation has revealed that an attacker had been able to access to the Starwood network since 2014.
The company said it would notify customers whose records were in the database.
Starwood’s hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.
Marriott said it was alerted by an internal security tool that somebody was attempting to access the Starwood database. After investigating, it discovered that an “unauthorised party had copied and encrypted information”.
It said it believed its database contained records of up to 500 million customers.
For about 327 million guests, the information included “some combination” of name, address, phone number, email address, passport number, account information, date of birth, gender, arrival and departure information.
It said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen.
“We deeply regret this incident happened,” the company said in a statement. “Marriott reported this incident to law enforcement and continues to support their investigation. The company has already begun notifying regulatory authorities.”
The company has set up a website to give affected customers more information. It will also offer customers in the US and some other countries a year-long subscription to a fraud-detecting service.
In a statement, the UK’s Information Commissioner’s Office said: “We have received a data breach report from Marriott involving its Starwood Hotels and will be making enquiries. If anyone has concerns about how their data has been handled they can report these concerns to us.”
Hotel groups have been frequent targets of hackers – in 2016 Kimpton was the victim of a malware scam.