As Many as 500 Million Potentially Affected by Marriott Data Breach

"The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property," Marriott said in a statement.

• By Jessica Davis
• Dec 04, 2018

Marriott International, the world’s largest hotel chain, has announced a breach of its Starwood guest reservation database, saying as many as 500 million guests may be affected. The Marriott breach may be one of the largest-ever breaches of consumer data.

According to Marriott, the chain was first alerted about an attempt to access the database by an internal security tool in September. While investigating, the company found that there had been unauthorized access since 2014 and that information had been copied and encrypted by an “unauthorized party.” The company determined Nov. 19 that the information came from its Starwood database.

"The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property," Marriott said in a statement.

Marriott said that for about 327 million of the guests affected, the information accessed includes some combination of a name, mailing address, phone number, email, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation data and communication preferences.

Some customers may have also had their credit card information taken, and while Marriott said that data would have been encrypted, it’s possible it could have been decoded.

Marriott said it was working with authorities and addressing the breach. The company said the “unauthorized party” who accessed the data was able to copy and encrypt some information “and took steps toward removing it,” but did not specify how much data had been removed.

"We deeply regret this incident happened," Marriott President and CEO Arne Sorenson said in a statement. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."

Marriott has set up a website for any guests who are concerned that their information could have been accessed in the data breach and will be notifying consumers via email. The company will also provide guests with one year of a digital security service.