Marriott International (NASDAQ: MAR) has revealed that its Starwood Hotels reservation system was targeted by hackers who stole about 500 million records. The attack apparently began four years ago in 2014, prior to Marriott’s purchase of Starwood. The company only identified the issue last week.
Marriott offered to buy Starwood for $12.2 billion in November 2015 to acquire the group of hotels which includes the St. Regis, Westin, Sheraton, and W Hotels. The company closed the Starwood deal in September 2016, creating the world’s largest hotel operator. The combined company has 6,700 properties in more than 129 countries.
Marriott said it first found out about the breach after an internal security tool sent an alert on Sept. 8. For 327 million guests, compromised data could include passport details, phone numbers and email addresses. The attack also exposed some credit card numbers and card expiration dates. Marriott says it can’t confirm if the hackers were able to decrypt the credit card numbers.
Marriott said that it had reported the breach to law enforcement and regulatory authorities. The New York Attorney General’s office said it has opened an investigation into the data breach. The attorneys general of Maryland and Pennsylvania have also said that they are investigating.
The company said would inform affected guests about the breach and has created an informational website. A call center has been set up to answer customers’ questions. The company also said it’s giving guests a free membership to WebWatcher, a personal information monitoring service.
The breach could cost Marriott hundreds of millions of dollars in legal costs. In its statement, Marriott said it was too early to estimate the financial impact of the breach. The hotel chain is reportedly working with its insurance carriers to assess coverage.