Marriott Breach Affects 500M Guests: NY Launches Investigation

NEW YORK, NY – Marriott announced a massive data breach on Friday that may have compromised the information of as many as 500 million customers who made a reservation at a Starwood property dating as far back as 2014. Marriott manages more than 6,700 properties around the world, including 210 in New York.

Marriott said it received an alert from an internal security tool on Sept. 8 regarding an attempt to access the guest reservation database in the United States.

"The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it," Marriott said in its statement. "On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database."

New York's Attorney General Barbara Underwood tweeted Friday that she had launched an investigation into the breach.

The company said it believes the database contains information on up to 500 million guests. However, the company said it had not finished identifying duplicate information.

“We deeply regret this incident happened,” Arne Sorenson, Marriott’s president and CEO, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Marriott acquired Starwood in 2016 and the process of merging its computer system with Starwood computers has been marred by technical glitches. The company manages more than 6,700 properties across the globe. According to Marriott's directory, a majority of its properties (5014) are in the United States.

You can see a list of Marriott’s properties in New York here.

For about 327 million guests, the compromised information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some guests, payment card numbers and payment card expiration dates may have been compromised.

The former Starwood brands now under the Marriott umbrella include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.

The breach has been reported to law enforcement.

A dedicated website and call center has been set up to answer customer questions. Marriott says it will begin sending emails on a rolling basis starting Nov. 30 to affected guests.

Reporting from The Associated Press was used in this story.

Photo by Danny Johnston,File/Associated Press