WASHINGTON — Marriott International, one of the world's largest hotel chains, revealed Friday that its Starwood reservations database had been hacked and that the personal information of up to 500 million guests could have been stolen.
The data breach involved information mined from the database for Starwood properties, which include Sheraton, Westin and St. Regis hotels. An unauthorized party had accessed the database since 2014, company officials said. The breach included names, email addresses, passport numbers and payment information, according to the hotel giant.
"We deeply regret this incident happened," Arne Sorenson, Marriott's chief executive, said in a news release. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
With the information of 500 million people having been compromised, Marriott's breach is one of the biggest in history, second only to Yahoo's breaches in 2013 and 2014, which affected 3 billion user accounts.
The suburban Bethesda, Md.-based company said that it reported the breach to law enforcement and is notifying regulatory authorities.
The hotel chain has set up a website and call center to answer questions at info.starwood.com, and it is emailing affected guests beginning Friday.
News of the breach sparked questions among cybersecurity experts about whether the hackers were criminals collecting data for identity theft or nation-state spies collecting information on travelers worldwide, including possibly diplomats, business people or intelligence officials as they moved around the globe. Hotel chains, with their vast customer databases and proprietary WiFi networks, likely make appealing targets.
"We know that the hospitality business is a very attractive target for nation states," said Thomas Rid, a political-science professor at the Johns Hopkins School of Advanced International Studies who specializes in cybersecurity issues. "You can more easily hack some high-value targets from within a hotel WiFi."
Security experts also questioned the extent and quality of the encryption used by Marriott. The news release specified that the company used encryption to protect credit card numbers, but the company did not specify whether other personally identifiable information — including names, addresses, phone numbers, email addresses and passport numbers — was protected in this way, as security experts recommend. The company did not immediately respond to a request for comment as to whether all of the data had been encrypted when accessed by the hackers.
The company acknowledged, however, a possible failing in the encryption security it had for credit card numbers, saying that it could not "rule out the possibility" that encryption keys were taken by hackers, allowing access to massive troves of data. The most secure systems lock up data with encryption keys and also make sure those keys are stored safely.
For most customers, the likeliest risk from the breach is identity theft. Such detailed personal information would make it easier for criminals to impersonate other people for the purpose of conducting banking transactions, applying for government benefits or even seeking to enter secure facilities that require official identification, such as passports.
Unlike some other major hacks — such as last year's breach of credit-rating agency Equifax, which affected more than 145 million people — there is no report suggesting that Social Security numbers were exposed in the Marriott breach. But the company said that for about 327 million customers, details on where and when people stayed at various hotels may have been revealed, giving the hackers information on the travel logistics of individual people.
Marriott said Friday that it had learned on Sept. 8 that an unauthorized party had access to its systems, but the news release suggested the hackers were able conceal the exact nature of what they were accessing by doing their own form of encryption of the stolen data as they tried to remove it. That made it harder for the company to determine the nature of the breach. Marriott was unable to decrypt what was stolen until Nov. 19.
Investigators discovered that the hackers had access to Starwood's system since 2014. When Marriott acquired Starwood in 2016, the existing breach went undetected during the merger and for years afterward.
For 327 million guests, the information exposed was strictly personal: birthdays, passport numbers, email and mailing addresses, and phone numbers.
While some credit card information, card numbers and expiration dates may also have been compromised, it was stored using a more advanced encryption method. Still, Marriott said it had "not been able to rule out" the possibility that card information had also been stolen.