By Kimberly Chin and Aisha Al-Muslim 

Marriott International Inc., the world's largest hotel company, said it identified a data breach in its Starwood reservation system that may have exposed personal information of up to 500 million guests.

For roughly two-thirds of the guests who were possibly affected, an unauthorized party may have had access to names, addresses, phone numbers, email addresses, passport numbers, and travel details, Marriott said Friday. In some cases, the company said, the information also included payment-card information. Marriott said payment-card numbers are usually encrypted, though it could not rule out that card information was stolen.

"We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward," Marriott Chief Executive Arne Sorenson said in a news release.

Marriott said its internal security tool alerted it of a potential breach to its U.S. database on Sept. 8. After an investigation, the company found that the Starwood guest database may have been compromised since 2014, which precedes Marriott's acquisition of Starwood. The database contained information for guests who made reservations on or before Sept. 10.

The company found the unauthorized party had copied and encrypted information from the database, and had attempted to steal it. However, it wasn't until Nov. 19 that Marriott was able to decrypt the information to find out what the contents of the breach were.

Starwood's brands include Sheraton, W Hotels, Westin, Le Méridien, Four Points by Sheraton, Aloft, St. Regis, Element, The Luxury Collection, Tribute Portfolio, and Design Hotels.

Marriott said it has been working with law enforcement and regulatory authorities regarding the breach.

Hotel chains have been hit by a wave of data breaches in recent years, often with hackers trying to steal customer credit- and debit-card information. In 2015, Starwood said hackers had stolen payment-card information during a data breach that lasted nearly eight months at 54 locations. Hilton Worldwide Holdings Inc. and Trump Hotels have also said hackers had stolen information.

The Marriott hack is one of the largest data breaches ever disclosed, measured by the number of individuals potentially affected. Only a 2013 breach of Yahoo that affected three billion people, nearly the entirety of of Yahoo's user base, may be bigger, security experts said. Another hack of Yahoo that occurred in 2014 has an impact on roughly 500 million people.

Hackers often root through computer networks for years without detection. Remaining hidden for so long -- Marriott said the intrusion dated back to 2014 -- can make investigating a breach more difficult, as companies often don't retain their full history of systems and network-traffic logs, said Blake Darche, co-founder and chief security officer at the cybersecurity company Area 1 Security.

The compromise of passport information could be the most significant aspect of the Marriott breach, particularly if it was carried out by a state-sponsored actor for intelligence purposes, said Mr. Darche, a former official with National Security Agency. "It's super useful for tracking people," he said.

The company said it would begin on Friday notifying affected guests whose email addresses were in the Starwood database. It has set up a website and call center to answer questions about the breach. The company is also providing guests with the chance to enroll in WebWatcher, a service that monitors internet sites where personal information is shared, for free for one year.

"We are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network," Mr. Sorenson said.

Marriott completed the $13.6 billion acquisition of Starwood Hotels & Resorts in 2016. Marriott has had problems since the acquisition with integrating its technology systems with those from Starwood. Travelers have reported problems with hotel stays being credited to loyalty accounts and have complained about customer service not helping when issued were identified.

In a Friday regulatory filing, Bethesda, Md.-based Marriott said that it couldn't yet estimate the financial impact of the data breach. The company, which carries cyber insurance, said it is working with its insurance carriers to assess coverage and it will disclose costs later.

"The company does not believe this incident will impact its long-term financial health," Marriott said in the filing.

Shares in Marriott fell 3.6% to $117.50 in premarket trading.

Marriott has more than 6,700 properties under 30 hotel brands, including the Ritz-Carlton and Renaissance.

--Dustin Volz contributed to this article.

Write to Kimberly Chin at kimberly.chin@wsj.com and Aisha Al-Muslim at aisha.al-muslim@wsj.com

 

(END) Dow Jones Newswires

November 30, 2018 09:27 ET (14:27 GMT)

Copyright (c) 2018 Dow Jones & Company, Inc.
Grafico Azioni Altaba (NASDAQ:AABA)
Storico
Da Feb 2024 a Mar 2024 Clicca qui per i Grafici di Altaba
Grafico Azioni Altaba (NASDAQ:AABA)
Storico
Da Mar 2023 a Mar 2024 Clicca qui per i Grafici di Altaba