The Marriott hotel chain has reported a data breach affecting the personal details of up to half a billion guests who made reservations at its Starwood properties.
The US company has determined there was unauthorised access to the reservation database of its Starwood division of hotels.
The discovery came as part of an investigation earlier this month, which had been looking at a cyber attack dating back to 2014, a statement on Friday said.
The company believes the breach affected “up to approximately 500 million guests who made a reservation at a Starwood property”.
For around 327 million of those people, the duplicated information includes some combination of name, address, phone number, email, passport number, and other personal details, as well as details of their stay, the statement said.
Credit card numbers and expiration dates of some guests may have been taken.
“We fell short of what our guests deserve and what we expect of ourselves,” chief executive Arne Sorenson said in a statement.
“We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott first became suspicious of a possible hack in September after receiving an alert from an internal security tool.
The investigation found the thieves copied and encrypted information, and took steps towards removing it.
Last week the company was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
In addition to Westin, Sheraton and St Regis, the Starwood chain of hotels includes Le Meridien and W Hotels.
Marriott purchased Starwood in 2016 and apparently the security vulnerability came along with the purchase. The Starwood IT system is to be discontinued.
The authorities and regulators have been informed, and the customers whose data was stolen also are being contacted, Marriott said.
Marriott, one of the world’s largest hotel chains, is the latest corporation to fall victim to a hacker attack.
Internet service provider Yahoo was attacked in 2013 by unknown hackers who gained access to 3 billion user accounts, including names, email addresses, telephone numbers and passwords.
A hack into eBay’s system, details of which became public in May 2014, compromised the data of about 145 million customers, including email and residential addresses, as well as log-in information.