Marriott International said Friday that the private information of up to 500 million guests may have been accessed as part of a breach of its Starwood guest reservation database, potentially one of the largest breaches of consumer data ever.
The world's largest hotel chain said it first received an alert in September from an internal security tool of an attempt to access the database. As part of an investigation, the company discovered there had been unauthorized access since 2014 and that an "unauthorized party" had copied and encrypted information.
Marriott said it determined on Nov. 19 that the information was from its Starwood database.
"The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property," the company said in a statement.
For about 327 million of the guests, it added, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
There are some customers who may have also had their credit card information taken. While that data would have been encrypted, Marriott said it can't rule out the information may have been decoded.
Marriott said it had taken steps to address the breach and is working with authorities. The company said that the "unauthorized party" was able to copy and encrypt some information within its system "and took steps toward removing it," but did not detail how much data had actually been removed.
Personal information exposed in data breaches can often make its way to the black market, where it can be purchased and used to execute a variety of attacks on individuals including identity theft and targeted email phishing schemes.
The company has set up a website for any consumers who worry that their information may have been part of the breach and will be notifying customers by email. Marriott will also provide guests with one year of WebWatcher, a digital security service.
"We deeply regret this incident happened," Marriott President and CEO Arne Sorenson said in a statement. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
Brian Frosh, the attorney general of Maryland, where Marriott is headquartered, tweeted that his office was launching an investigation into the breach.
"The Marriott data breach is one of the largest and most alarming we’ve seen," Frosh tweeted. "My office is launching an investigation to find out the circumstances that led to the breach and its impact on consumers."
Barbara Underwood, attorney general of New York, also tweeted that she had opened an investigation into the breach.
"New Yorkers deserve to know that their personal information will be protected," Underwood wrote.
Jake Williams, president and founder of cybersecurity firm Rendition Infosec, said that Marriott's statement was extremely vague and left him with more questions than answers.
"It is very inarticulately worded, I think is the best way to put it," Williams said. "I'm playing guesswork at what some of these statements mean."
He noted that companies can sometimes end up buying companies that have suffered security breaches without being aware of the problems, but that it was unclear if this was the case with Marriott.
The breach could potentially be one of the largest in history, behind the hacking of about 3 billion Yahoo accounts. Earlier this year, Under Armour said that data from about 150 million MyFitnessPal diet and fitness app accounts was compromised.
Marriott, based in Bethesda, Maryland, bought Starwood Hotels & Resorts Worldwide for $13 billion in 2016, creating the largest hotel chain in the world and adding Starwood's Sheraton, St. Regis, Westin and W properties to its collection.
Marriott at the time cited Starwood's guest loyalty program as a "central, strategic rationale" for the deal, given that Starwood's customers are typically higher income and travel more frequently.
The company also revealed the breach in a filing with the Securities and Exchange Commission, saying it did not expect the breach to hurt its business.
"The Company does not believe this incident will impact its long-term financial health," Marriott said in the filing.
Marriott shares were down about 4 percent in pre-market trading on Friday morning.
In addition to state attorneys general, the breach also caught the attention of politicians in Washington, many of whom have begun to embrace the need for greater regulation around how companies handle data breaches.
"Clearly the current status quo isn’t working — the Federal Trade Commission needs real powers with strong teeth in order to punish companies that lose or misuse Americans’ private information," Sen. Ron Wyden, D-Ore., said. "Until companies like Marriott feel the threat of multi-billion dollar fines, and jail time for their senior executives, these companies won’t take privacy seriously.”
Sen. Edward Markey, D-Mass., echoed Wyden's sentiment.
"It’s time for Congress to pass comprehensive consumer privacy and data security legislation that requires companies to adhere to strong data security standards, directs them to only collect the data they actually need to service their customer, and creates penalties for companies that fail to meet them," Markey said.