NBC News (NBC) - Marriott International said Friday that up to 500 million guests' information may have been accessed as part of a breach of its Starwood guest reservation database, potentially one of the largest breaches of consumer data ever.
The world's largest hotel chain said it first received an alert in September from an internal security tool that there was an attempt to access the database. As part of an investigation, the company discovered there had been unauthorized access since 2014, and that an "unauthorized party" had copied and encrypted information.
On Nov. 19, Marriott said it determined that information was from its Starwood database.
"The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property," the company said in a statement.
For about 327 million of the guests, it added, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
There are some customers who may have also had their credit card information taken. While that data would have been encrypted, Marriott said it can't rule out the information may have been decoded.
Marriott said it had taken steps to address the breach and is working with authorities.
"We deeply regret this incident happened," Marriott President and CEO Arne Sorenson said in a statement. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
The breach could potentially be one of the largest in history, behind the hacking of about 3 billion Yahoo accounts. Earlier this year, Under Armour said that data from about 150 million MyFitnessPal diet and fitness app accounts was compromised.
Marriott, based in Bethesda, Maryland, bought Starwood Hotels & Resorts Worldwide for $13 billion in 2016, creating the largest hotel chain in the world and adding Starwood's Sheraton, St. Regis, Westin and W properties to its collection.
Marriott at the time cited Starwood's guest loyalty program as a "central, strategic rationale" for the deal, given that Starwood's customers are typically higher income and travel more frequently.