A major security breach impacting on half a billion guest records in the Starwood reservation system has been disclosed by Marriott.
The chain says the hack goes back four years, prior to the merger of the two business.
It was only identified in September this year when an alert was received from an internal security tool that saw an an unauthorized attempt to access the Starwood guest reservation system in the U.S.
Officials say they discovered the hack had managed to copy and encrypt information on 500 million guests during the four-year period but it took until mid-November to unravel the extent of the breach.
The details and scale of the attack were disclosed by Marriott in a statement today.
Guests affected by the breached will be notified from today, Marriott says, with a dedicated website and call center created to handle questions.
Of the half a billion, approximately 327 million guests are at the most serious risk, with "some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences" taken by the hackers.
For the remaining 173 million, information stolen came in the form of name and possibly mailing addresses and emails.
Marriott says the larger of the two breaches also includes details of the payment cards belonging to guests.
For some, the company says, the information includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).
The statement says: "There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken."
Executive action
In the statement, Marriott’s president and CEO, Arne Sorenson, says the company "fell short of what our guests deserve and what we expect of ourselves".
Regulators and law enforcement authorities are working with the company to investigate the breach.
Sorenson adds: "Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center.
"We will also continue to support the efforts of law enforcement and to work with leading security experts to improve.
"Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."