Marriott International Inc., the world’s largest hotel company, said it identified a data breach in its Starwood reservation system that may have exposed personal information of up to 500 million guests.
For roughly two-thirds of the guests who were possibly affected, an unauthorized party may have had access to names, addresses, phone numbers, email addresses, passport numbers, and travel details, Marriott
said Friday. In some cases, the company said, the information also included payment-card information. Marriott said payment-card numbers are usually encrypted, though it could not rule out that card information was stolen.
“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward,” Marriott Chief Executive Arne Sorenson said in a news release.
Marriott said its internal security tool alerted it of a potential breach to its U.S. database on Sept. 8. After an investigation, the company found that the Starwood guest database may have been compromised since 2014, which precedes Marriott’s acquisition of Starwood. The database contained information for guests who made reservations on or before Sept. 10.
The company found the unauthorized party had copied and encrypted information from the database, and had attempted to steal it. However, it wasn’t until Nov. 19 that Marriott was able to decrypt the information to find out what the contents of the breach were.
Popular now on WSJ.com:
We Want to
Hear from You
Join the conversation