Updated at 11:55 a.m. ET
In one of the largest cybersecurity breaches in history, Marriott International said Friday that information on up to about 500 million of its customers worldwide was exposed in a breach of its Starwood guest reservation database dating as far back as 2014.
The world’s largest hotel chain said it learned of the breach on Sept. 8.
The company said the Marriott hotel network was not affected. “The investigation only identified unauthorized access to the separate Starwood network,” it said. Marriott acquired Starwood Hotels & Resorts Worldwide in 2016.
For 327 million of the affected guests, the compromised data includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences,” the company said.
For some customers, the information “also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted,” Marriott added. But the company said it could not rule out the possibility that the hackers were able to decrypt those details.
Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Four Points by Sheraton and Starwood-branded timeshare properties.
Marriott said it reported the data breach to law enforcement officials and has begun to notify “regulatory authorities.”
“New Yorkers deserve to know that their personal information will be protected,” New York Attorney General Barbara Underwood said in a tweet.
“We want to know who was affected, what personal info was compromised, how it happened, and when Marriott knew about the #breach,” Pennsylvania Attorney General Josh Shapiro tweeted.
Arne Sorenson, Marriott’s president and chief executive officer, said: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott has set up a special website and call center to provide information on the incident. The U.S. call center number is (877) 273-9481. Marriott said it will begin notifying affected guests by email starting Friday.
Marriott’s stock was down about 5 percent late Friday morning.
The data breach is one of the largest in history. It’s not as massive as the 2013 hack of Yahoo, which hit 3 billion users, and exposed data including names, email addresses, phone numbers, birthdates and passwords. But the Marriott breach includes sensitive data such as passport numbers, mailing addresses and credit card information.
Equifax said about 148 million people were impacted by a massive cybersecurity breach of the credit-reporting agency last year. That data included names, Social Security numbers, birthdates, addresses and, in some cases, driver’s license numbers and credit card information.
The Marriott hack is “one of the most significant data breaches in history given the size … and the sensitivity of the personal information that was stolen,” Ted Rossman, an analyst with CreditCards.com, said in an email.
Given the sensitive personal information involved, he said, people “should be concerned that criminals could use this info to open fraudulent accounts in their names.”
Rossman recommends that affected people freeze their credit by contacting credit agencies Experian, Equifax and TransUnion.