Marriott has announced 500 million guests’ data may have been exposed during breaches that began in 2014 from a reservation database for its hotels which include luxury London landmarks.
The company said reservations at its Starwood properties – which include the Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly – had been affected by the “data security incident”.
Work is continuing but the firm said the breached database contains the information of up to half a billion guests.
The database stored information including passport numbers, dates of births, names, addresses and phone numbers for 327 million guests.
Payment card numbers and expiration dates were also stored for some.
The breach was spotted in the Starwood guest reservation database in the US on September 8 and the company “discovered that an unauthorised party had copied and encrypted information, and took steps towards removing it”, a statement said.
Security experts determined there “had been unauthorised access to the Starwood network since 2014”, it added.
Researchers decrypted the information and determined its contents were from the Starwood reservation database on November 19, the company said.
Marriott president and chief executive Arne Sorenson said: “We deeply regret this incident happened.
“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The Maryland-based firm said law enforcement agencies are investigating.
Payment card numbers are encrypted using a method that requires two components to break it, a statement said.
“Marriott has not been able to rule out the possibility that both were taken,” it added.
Starwood was bought by Marriott in 2016.