Marriott International, the world’s largest hotel chain, said personal information for as many as 500 million guests may have been compromised in a security breach of its Starwood Hotel brand’s reservation database.
The Maryland-based hospitality company said in a statement Friday that an investigation recently revealed there had been “unauthorized access” since 2014 to the database, which contains guest information relating to reservations at Marriott’s Starwood properties, and that a hacker had “copied and encrypted information.”
“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property,” Marriott said in its statement.
The company acquired Starwood and its portfolio of W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Tribute Portfolio, Le Méridien, Four Points by Sheraton and Design Hotels brands and Starwood timeshare properties two years ago.
The compromised information includes names, mailing addresses, phone numbers, email addresses, passport numbers, date of birth, gender, Starwood Preferred Guest loyalty program account information, arrival and departure information, reservation date as well as communication preferences.
“We deeply regret this incident happened,” Marriott’s president and CEO, Arne Sorenson, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The company said it is working with law enforcement as well as leading security experts to investigate and address the breach.
New York Attorney General Barbara Underwood announced that her office was investigating the breach.
“We’ve opened an investigation into the Marriott data breach. New Yorkers deserve to know that their personal information will be protected,” she tweeted Friday morning.
Lisa Madigan, the Illinois attorney general, also said her office would investigate.
Top 5 worst hacks
How does the Marriott breach compare to Yahoo’s and Equifax’s?
“[Marriott] is not the largest breach in terms of number of records and was not the worst in terms of identity theft potential but it is easily in the top five for worst hacks that directly impact the general public,” Jim McCoy, creator of the Vektor home cybersecurity device and former tech lead of security tools and operations at Facebook, told ABC News.
The depth and scope of the Marriott breach raised alarm for cybersecurity experts, especially with respect to the credit card information. Though cards stored with merchants are encrypted, there are different ways companies can obscure the information.
Businesses “can encrypt the credit card number for each entry in the database individually or they can encrypt the entire column of credit card numbers as a single opaque blob, or can they just encrypt the database with a single key,” McCoy said. “The most telling bit of information I am waiting to hear is how many credit cards were compromised — if the number is large then it is likely this was a single key for the entire database and Marriott is in deep trouble.”
What consumers can do now
Marriott said it would start sending emails to affected customers on Friday, on a rolling basis. But there were steps consumers could do in the meantime to protect their information from further exploitation.
McCoy said it appeared the breach was discovered while hackers were accessing the data, and probably before it was on the open market.
“This means Marriott and all affected customers probably have a small window to set up fraud protection before hackers start bulk selling the data to identity theft rings,” McCoy said. “The fact that Marriott is offering fraud detection services means that they see this as the long-term problem as well.”
He advised customers to be aware of scammers looking to capitalize on the breach.
“These sort of events also bring out a second set of scammers who will be sending phishing emails pretending to be Marriott and asking users to either ‘confirm’ details or enter details to see if they are on the list,” then use the information to steal identities, McCoy said. “Go directly to Marriott’s sites or to the Kroll site set up specifically for this and do not click on links or attachments that are sent in any message claiming to be from Marriott.”
ABC News’ Ryan Burrow and Aaron Katersky contributed to this report.