A vast data breach has exposed the private information, including passport and credit card numbers, of around 500 million guests of the Marriott hotel chain.
Marriott International says hackers may have uncovered the personal and financial information of as many as as half a billion customers who made reservations at any of its Starwood properties over the past four years.
The discovery came as part of an investigation earlier this month which had been looking at a cyber attack dating back to 2014, a company statement on Friday said.
Marriott, which first became suspicious of a hack in September, said the intruders encrypted information from the database and that its efforts to decrypt that data set was not yet complete.
The company believes the breach has affected “up to approximately 500 million guests who made a reservation at a Starwood property”, although some of the records could belong to people who booked multiple stays.
CEO of Marriott International, Arne Sorenson, has apologised saying: “We fell short of what our guests deserve and what we expect of ourselves.
“We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The hotel giant said that while customer payment card data was protected by encryption technology, the company could not rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.
Marriott is not the first hotel chain to be stung by hackers.
Just last month, two luxury Tasmanian hotels owned by the Federal Group revealed the personal data of their guests “may have been accessed by an unauthorised third party”, with the company telling people emails sent from the resorts may be bogus.
The company wrote to past guests of Hobart’s Henry Jones Art Hotel and Saffire Freycinet informing them of the breach, with the group saying it was “currently undertaking an internal investigation of the incident”.
Back in Dec 2016, a pattern of fraudulent transactions on credit cards were linked to InterContinental Hotels Group properties across the United States. An investigation showed cash registers at more than 1,000 of its properties were compromised with malware designed to siphon customer debit and credit card data.
Starwood hotel brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels and Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels and Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood preferred guest program.
A list of frequently asked questions has been posted on a website Marriott created specifically for information about the breach, and the group has opened a seven-days-a-week call centre with information available in multiple languages for anyone who thinks they may have been victimised.
It recommends guests using the same or a similar password as the one associated with their Starwood loyalty account should change it, as well as be on the lookout for any phishing emails asking for login details.
Marriott is offering affected guests from Canada, the US and Britain a free year’s worth of service from WebWatcher, which alleges to monitors the internet for signs that a customer’s personal information is being traded or sold.