Marriott Breach Affects Up To 500 Million Starwood Guests

BETHESDA, MD — Marriott announced on Friday that a data breach involving the Starwood Guest Reservation database had compromised the information of as many as 500 million customers.

Marriott said it received an alert from an internal security tool on Sept. 8 regarding an attempt to access the guest reservation database in the United States. The company's information found that there had been unauthorized access to the Starwood network since 2014.

"The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it," Marriott said in its statement. "On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database."

The company said it believes the database contains information on up to 500 million guests that made a reservation on a Starwood property. However, the company said it had not finished identifying duplicate information.

“We deeply regret this incident happened,” Arne Sorenson, Marriott’s President and CEO, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Marriott acquired Starwood in 2016 and the process of merging its computer system with Starwood computers has been marred by technical glitches. The company manages more than 6,700 properties across the globe. According to Marriott's directory, a majority of its properties (5014) are in the United States.

For about 327 millions guests, the compromised information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some guests, payment card numbers and payment card expiration dates may have been compromised.

The former Starwood brands now under the Marriott umbrella include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.

The breach has been reported to law enforcement.

A dedicated website and call center has been set up to answer customer questions. Marriott says it will begin sending emails on a rolling basis starting Nov. 30 to affected guests.

Reporting from The Associated Press was used in this story.

Photo by Danny Johnston,File/Associated Press