Marriott International has announced a major breach of its customer data, with around 500 million guests affected.
In a statement the group said that an investigation had uncovered that “there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018”.
Marriott added that the investigation had shown that there had been unauthorized access to the Starwood network since 2014.
Of the half a billion guests affected, the group says that 327 million had some combination of name, mailing address, phone number, email address, passport number, SPG account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences compromised.
“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128),” added Marriott.
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”
Marriott said that it had been made aware of the breach on September 8 via an internal security tool, and that it had “quickly engaged leading security experts to help determine what occurred”.
The group has taken a number of steps “to help guests monitor and protect their information”, including a dedicated website and call centre, email notifications and free Webwatcher enrollment for affected guests.
The announcement is the latest in a series of data breaches involving hotels and airlines.
In September British Airways suffered a breach of data from its website and mobile app, while in October a hack of Cathay Pacific’s information system exposed the personal data of up to 9.4 million people.
And later that month Radisson Hotel Group has confirmed that it has suffered a data breach on affecting “a small percentage of our Radisson Rewards members”.
