By Lauren Howells.

Up to 500 million guests who made a reservation at a Starwood property, may have had their details compromised following a data breach.

Unauthorised access to Starwood network since 2014

Marriott said that, following an alert on 8 September 2018 from an “internal security tool” regarding an attempt to access the Starwood guest reservation database in the US, it had engaged security experts to help find out what had happened. This investigation discovered that there had been unauthorised access to the Starwood network since 2014.

The hotel group said that it had “recently discovered” that an unauthorised party had “copied and encrypted information, and took steps towards removing it”. On 19 November 2018, Marriott decrypted the information and discovered that it was from the Starwood guest reservation database.

The guest information was related to reservations at Starwood properties on or before 10 September 2018, Marriott confirmed.

Information includes some guests’ payment card details

The hotel group has said that the information of approximately 327 million of those affected includes “some combination of” name, address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.

For some customers, the information also included payment card numbers and expiration dates, although the card numbers were encrypted, it said. However, Marriott admitted that it has not been able to rule out the possibility that both components needed to decrypt the payment cards could have been taken.

For the remaining 173 million guests, it said that the information was limited to name and sometimes other data, such as addresses, email addresses or “other information”.

Marriott International data breach affecting 500 million guests

“We fell short of what our guests deserve and what we expect of ourselves.”

Starwood brands include Le Méridien Hotels & Resorts, W Hotels, Sheraton Hotels & Resorts, Westin Hotels & Resorts, St. Regis, Element Hotels, The Luxury Collection, Tribute Portfolio, Aloft Hotels, Four Points by Sheraton and Design Hotels.

Marriott said that it has reported the incident to law enforcement and has already started to notify the regulatory authorities.

Arne Sorenson, Marriott’s President and Chief Executive Officer, expressed regret, saying that they had fallen short of what their guests deserve.

“We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

A dedicated website and call centre has been set up to answer customer concerns regarding this data breach.  The UK phone number is 0808 189 1065.

Marriott is also providing guests with the opportunity to enrol in WebWatcher, which monitors internet sites where personal information is shared and alerts you if your information is discovered, for one year, free of charge.