Marriott admits to data breach affecting up to 500 million hotel guests since 2014
Starwood hotels such as Sheraton and Westin are affected, including those in Canada
The Associated Press · Posted: Nov 30, 2018 9:41 AM ET | Last Updated: 13 minutes ago
The information of as many as 500 million guests at Starwood hotels has been compromised, and Marriott said that it's discovered that unauthorized access within its Starwood network has been taking place since 2014.
The company said Friday that credit card numbers and expiration dates of some guests may have been taken. For as many as two-thirds of those affected, exposed data could include mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.
For some guests, the information was limited to name and sometimes other data, such as mailing address, email address or other information.
"We fell short of what our guests deserve and what we expect of ourselves," Marriott CEO Arne Sorenson said in a prepared statement. "We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
Email notifications to those who may have been affected will begin rolling out Friday.
While the breach affected "approximately 500 million guests" who made a reservation at a Starwood hotel, some of those records could belong to people who had multiple stays.
When the two companies announced their merger in November 2015, Marriott had 54 million members of its loyalty program and Starwood had 21 million. Many travelers were members of both programs. The combined chain now has more than 6,700 hotels around the world, and more than 1.1 million rooms.
Asked for more details on the 500 million figure, Marriott spokesman Jeff Flaherty said Friday morning that the company has not finished identifying duplicate information in the database.
Marriott said that there was a breach of its database in September, which had guest information related to reservations at Starwood properties on or before Sept. 10.
An internal security tool signaled a potential breach on Sept. 8, but the company was unable to decrypt the information that would define what data had potentially been exposed.
The company says anyone who stayed in a Starwood hotel in any country — including Canada — since 2014, could have had their data improperly accessed. Mariott-branded hotels would not be included since they use a different system, but Starwood operates hotels under the following names:
W Hotels.
St. Regis.
Sheraton Hotels & Resorts.
Westin Hotels & Resorts.
Element Hotels.
Aloft Hotels.
The Luxury Collection.
Tribute Portfolio.
Le Meridien Hotels & Resorts.
Four Points by Sheraton and Design Hotels.
Starwood-branded timeshare properties are also included.
Marriott has had a rocky process of merging its computer system with Starwood computers. Members of both loyalty programs have complained about missing points, glitches with stays crediting to their accounts and problems with free nights earned from credit cards not appearing.
Sorenson said that Marriott is still trying to phase out Starwood systems.
Marriott has set up a website and call centre for anyone who thinks they are at risk.