The Marriott International hotel chain says it is taking steps to help the up to 500 million guests whose personal information may have been compromised when the chain’s Starwood reservation system was hacked.
For 327 million guests, Marriott said in a statement on Friday, the exposed information includes their name, phone number, email address, passport number, date of birth, and arrival and departure information. For millions of others, credit card numbers and card expiration dates were potentially compromised.
The “unauthorized access” may stretch back to 2014, the hotel group said. Marriott, which acquired Starwood in 2016, runs more than 6,700 properties around the world. Its Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels.
In the statement, Marriott said it was beginning to email guests affected by the security breach. It has created a dedicated website with FAQ information and important links for guests. A call center is open seven days a week and is available in several languages. Regional phone numbers can be found by clicking the words Call Center Information.
The company also is giving guests in the United States, Canada, and Britain a free, one-year membership to the personal information monitoring service WebWatcher. It described WebWatcher as a service that watches internet sites where personal information is shared or sold and then alerts people if their information is found there.
Marriott also advises guests to monitor their loyalty accounts for suspicious activity, change their account passwords, and check credit card statements for unauthorized activity.
“We deeply regret this incident happened,” Arne Sorenson, Marriott’s president and CEO, said in Friday’s statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
In the statement, the chain said it learned in September about an attempt to access the Starwood database and the resulting investigation revealed in November that unauthorized access had been made on or before Sept. 10.
The investigation also found that an “unauthorized party had copied and encrypted information, and took steps toward removing it,” the statement said.
It wasn’t clear if hackers who had obtained encrypted credit card numbers and expiration dates for some customers would be able to use that information.
Marriott said it had notified regulatory and legal authorities.