Data from up to 500 million guests has been compromised by an unauthorized party, Marriott International announced Friday.
The unauthorized party copied and encrypted information from its Starwood brand database. Unauthorized access dates back to 2014, years before Marriott acquired Starwood to create what Marriott calls the world’s largest lodging company.
Starwood properties include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.
Information regarding how many New Jersey properties and how many New Jersey-based guests were affected by the data breach is not currently available. "The situation has global impact. We do not have a breakdown by market at this time," a Marriott spokesperson told NJBIZ.
For approximately 327 million guests, Marriott said that the copied information includes a combination of the following details: name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.
For some, it also includes payment card numbers and payment card expiration dates. Although both were encrypted in Marriott’s system, the company said it wasn’t able to rule out that both pieces of information were accessed and taken.
For the remaining guests, limited data was taken, including name and sometimes mailing address, email address, or other information.
“We deeply regret this incident happened,” said Marriott CEO Arne Sorenson in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott reported the incident to law enforcement and is cooperating with the investigation.