Marriott says personal data for about 500 million people stolen by hackers

Mike Dougherty
November 30, 2018 - 7:06 am
A sign is posted in front of a Marriott hotel on November 16, 2015 in San Francisco, California.

Justin Sullivan/Getty Images


PHILADELPHIA (KYW Newsradio) — Marriott International says that personal information for about 500 million people has been stolen by hackers from its Starwood guest reservation system. 

The breach was discovered in September, and an internal investigation revealed that the data stolen goes all the way back to 2014.

The company said Friday that credit card numbers and expiration dates of some guests may have been taken. For as many as two-thirds of those affected data exposed could include mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.

Credit card numbers are encrypted, but hotel officials say there's a chance hackers were able to get past the two layers of encryption.

In a Friday press release, Marriot CEO Arne Sorensen said the company fell short of what guests deserve, and they are using the lessons learned to be better moving forward.

Email notifications to those who may have been affected will begin rolling out Friday.

While the breach affected "approximately 500 million guests" who made a reservation at a Starwood hotel, some of those records could belong to people who had multiple stays.

When the two companies announced their merger in November 2015, Marriott had 54 million members of its loyalty program and Starwood had 21 million. Many travelers were members in both programs.

Asked for more details on the 500 million number, Marriott spokesman Jeff Flaherty Friday morning said the company has not finished identifying duplicate information in the database.

Marriott said that there was a breach of its database in September, which had guest information related to reservations at Starwood properties on or before Sept. 10.

An internal security tool signaled a potential breach on Sept. 8, but the company was unable to decrypt the information that would define what data had potentially been exposed.

Starwood operates hotels under the names W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.

Marriott has had a rocky process of merging its computer system with Starwood computers. Members of both loyalty programs have complained about missing points, glitches with stays crediting to their accounts and problems with free nights earned from credit cards not appearing.

Sorenson said that Marriott is still trying to phase out Starwood systems.

Anyone who stayed at a Starwood property between 2014 and this year is eligible for free fraud monitoring services.

There is also a website and call center to answer any questions customers may have.


The Associated Press contributed to this report.