On Friday, Marriott International announced a system breach that has affected approximately 500 million customers, with stolen information including names, credit card numbers, mailing addresses, email addresses, and passport numbers. The breach is one of the largest in history, after recent Yahoo breaches that compromised the accounts of nearly three billion customers.
The breach appears to have originated at Starwood hotels in 2014—two years before Marriott acquired the hotel chain, according to The Washington Post. “When Marriott acquired Starwood in 2016, the existing breach went undetected during the merger and for years afterward,” the Post noted.
Marriott says it confirmed unauthorized access to the Starwood guest reservation database on November 19, which contained guest information dating back to September 10, 2018. The hackers had allegedly copied encrypted information from the Starwood reservation database. When Marriott was able to decrypt the information, the company found that of the approximately 500 million guests that had their name and contact information stolen, a subset of 327 million had “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”