Hackers made off with passport and other information from millions of customers who stayed at Starwood branded hotels, and much of the data was unencrypted, making it highly vulnerable to fraudulent use, the New York Times reports.

Marriott International, which now owns the Starwood brand, said that hackers — suspected of working for Chinese intelligence agencies — got away with unencrypted information from about five million guest passports. The hack exposed information from about 383 million hotel reservations, making it the largest data breach in history.

The Chinese are reportedly attempting to create a database of information about individuals with sensitive government or private-sector jobs. The Chinese government denies any involvement in the cyberattack.

Marriott said that information from 5.25 million passports given to hotel clerks upon check-in was stored in unencrypted files, meaning anyone who accessed the Starwood servers could view the data. Information from another 20.3 million passports was encrypted; Marriott said there is “no evidence that the unauthorised third party accessed the master encryption key needed to decrypt the encrypted passport numbers.”

A Marriott spokesperson said the company is now “looking into our ability to move to universal encryption of passport numbers.”

Marriott has promised to replace the passports of customers who are victims of fraud due to the breach, but has not vowed to replace the passports of all customers whose information was compromised.

marriott.com