Starwood Hotels has confirmed its hotel guest database of about 500 million customers has been stolen in a data breach.
The hotel and resorts giant said in a statement that the “unauthorized access” to its guest database was detected on or before September 10 — but may have dated back as far as 2014.
“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014,” said the statement. “Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”
Specific details of the breach remain unknown. We’ve contacted Starwood for more and will update when we hear back.
The company said hat it obtained and decrypted the database on November 19 and “determined that the contents were from the Starwood guest reservation database.”
Some 327 million records contained a guest’s name, postal address, phone number, date of birth, gender, email address, passport number, Starwood’s rewards information (including points and balance), arrival and departure information, reservation date, and their communication preferences.
Starwood said an unknown number of records contained encrypted credit card data, but has “not been able to rule out” that the components needed to decrypt the data wasn’t also taken.
“Marriott reported this incident to law enforcement and continues to support their investigation,” said the statement.
Starwood remains one of the largest hotel chains in the world, with more than 11 brands covering 1,200 properties, including W Hotels, St. Regis, Sheraton, Westin, Element and more. Starwood branded timeshare properties are also included. The company said that its Marriott hotels are not believed to be affected as its reservation system is “on a different network.”
The company has begun informing customers of the breach — including in the U.S., Canada, and the U.K.
Given that the breach falls under the European-wide GDPR rules, Starwood may face significant financial penalties of up to four percent of its global annual revenue if found to be in breach of the rules.