Marriott International said on Friday that its guest reservation system has been hacked, potentially exposing the personal information of approximately 500 million guests.
The hotel chain said the hack affected its Starwood reservation database, a group of hotels it bought in 2016 that included the St. Regis, Westin, Sheraton, W Hotels, Le Méridien and Four Points by Sheraton, CNN reported.
For roughly two-thirds of the guests who were possibly affected, the information in the breach included names, addresses, phone numbers, email addresses, passport numbers and travel details.
Marriott said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen.
“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests and using lessons learned to be better moving forward,” said Chief Executive Arne Sorenson in a news release.
Marriott said that it reported the breach to law enforcement and was also notifying regulatory authorities.
According to the hotel chain, its internal security tool alerted it of a potential breach to its US database in September. However, it wasn’t until November 19 that Marriott was able to decrypt the information to find out what the contents of the breach were.
Marriott said an internal investigation found an attacker had been able to access the Starwood network since 2014 and it believed its database contained records of up to 500 million customers.
Marriott said it was notifying affected guests whose email addresses were in the Starwood database and was also setting up a call centre and a consumer website.
Following the news, Marriott’s stock plunged, falling nearly 6 per cent in premarket trading.