Marriott admits to data breach affecting up to 500 million hotel guests since 2014

The information of as many as 500 million guests at Starwood hotels has been compromised, and Marriott said it discovered that unauthorized access within its Starwood network has been taking place since 2014.

Starwood hotels such as Sheraton and Westin are affected, including those in Canada

The Marriott hotel chain says data from customers at Starwood hotels dating back to 2014 has been breached. (Brendan McDermid/Reuters)

The Marriott hotel chain says the personal information of up to half a billion people who stayed at Starwood hotels between 2014 and 2018 may have had their personal information stolen.

The chain revealed details of the breach, which is so far the second-largest theft of personal data in history, bested only by the Yahoo breach uncovered last year that affected more than three billion accounts.

Marriott says hotels owned by the Starwood chain are affected. Those include:

  • W Hotels.
  • St. Regis.
  • Sheraton Hotels & Resorts.
  • Westin Hotels & Resorts. 
  • Element Hotels. 
  • Aloft Hotels. 
  • The Luxury Collection. 
  • Tribute Portfolio. 
  • Le Meridien Hotels & Resorts. 
  • Four Points by Sheraton and Design Hotels.
  • Starwood-branded timeshare properties.​

Marriott says its own Marriott-branded hotels are not impacted because they use a different software system that wasn't breached.

But anyone who stayed at a Starwood-owned hotel between 2014 and September of this year may have had their data stolen. Canadian locations would be included.

Marriott says it became aware of the breach on Sept. 8 when an internal security tool signaled a potential breach, but the company was unable to decrypt the information that would define what data had potentially been exposed.

The chain is starting to email affected people.

While the breach affected "approximately 500 million guests" who made a reservation at a Starwood hotel, some of those records could belong to people who had multiple stays, and for many of them very little information may have been taken. 

Numbers and expiration dates for some guests' credit cards may have been taken. But 327 million guest stays had some combination of name, mailing address, phone number, email address, passport number, date of birth, gender, arrival and departure information, reservation date, and communication preferences stolen.

"The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted," said analyst Ted Rossman of CreditCards.com. "People should be concerned that criminals could use this info to open fraudulent accounts in their names."

Corey Larocque, a spokesperson with the Canadian Office of the Privacy Commissioner, said Marriott informed the office of the breach Friday, and the office is "following up" with the company.

Due to confidentiality, Larocque said he could not provide further details, but said the commissioner has not opened a formal investigation or received complaints around the breach.

When Marriott and Starwood announced their merger in November 2015, Marriott had 54 million members of its loyalty program and Starwood had 21 million. Many travelers were members of both programs. The combined chain now has more than 6,700 hotels around the world, and more than 1.1 million rooms.

"We fell short of what our guests deserve and what we expect of ourselves," Marriott CEO Arne Sorenson said in a statement. "We are doing everything we can to support our guests, and using lessons learned to be better moving forward."

Asked for more details on the 500 million figure, Marriott spokesman Jeff Flaherty said Friday that the company has not finished identifying duplicate information in the database.

Marriott has had a rocky process of merging its computer system with Starwood computers. Members of both loyalty programs have complained about missing points, glitches with stays crediting to their accounts and problems with free nights earned from credit cards not appearing.

Marriott has set up a website and call centre for anyone who thinks they are at risk.

(CBC)

With files from The Associated Press