Massive, extended data breach within Marriott’s hotel empire

BETHESDA, Md. (AP) — A security breach inside Marriott’s worldwide hotel empire has compromised the information of as many as 500 million guests, exposing in some cases credit card numbers, passport numbers and birthdates, the company said Friday.

Alarming security analysts, Marriott said that unauthorized access to data within its Starwood network has been taking place since 2014 in what may be among the largest data breaches on record.

Marriott acquired Starwood in 2016 and the process of merging its computer system with Starwood computers has been marred by technical glitches.

The company said credit card numbers and expiration dates of some guests may have been taken. For as many as two-thirds of those affected, data exposed could include mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.

“We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said in a prepared statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Email notifications to those who may have been affected will begin rolling out Friday.

While the breach affected “approximately 500 million guests” who made a reservation at a Starwood hotel, some of those records could include a single person who booked multiple stays.

The company manages more than 6,700 properties across the globe.

While the first impulse for those potentially affected by the breach could be to check credit cards, security experts say other information in the database could be more damaging.

“The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted,” said analyst Ted Rossman of CreditCards.com. “People should be concerned that criminals could use this info to open fraudulent accounts in their names.”

When the merger was announced in 2015, Marriott had 54 million members of its loyalty program and Starwood had 21 million. Many people were members in both programs.

Asked for more details on the 500 million number, Marriott spokesman Jeff Flaherty said Friday that the company has not finished identifying duplicate information in the database.

An internal security tool signaled a potential breach in early September, but the company was unable to decrypt the information that would define what data had potentially been exposed until last week.