Marriott announces data breach impacting 500 million hotel guests

The company has determined that hackers had unauthorized access on Starwood’s guest database dating back to 2014.

The Marriott Hotel chain announced Friday that information contained in a Starwood Hotels database was compromised, potentially affecting up to 500 million guests.

The company has determined that hackers had unauthorized access on Starwood’s guest database dating back to 2014. Hackers copied and encrypted guest information, then “took steps towards removing it,” the company said. Marriott acquired Starwood in 2016.

Marriott on Sept. 8 received an alert from a security tool indicating an outsider was trying to access Starwood’s guest reservation database. That alert was enough for the company to consult outside security experts, who ultimately determined that thieves had been inside the database for roughly four years.

For roughly 327 million of the 500 million guests affected, hackers stole information including their name, mailing address, phone number, email address, passport number, Starwood account information, date of birth, gender, arrival and departure information, reservation date and communication preferences, the company said. Payment information also was compromised for many of those guests.


Marriott in its statement said it is still investigating the breach. The company also said it has been working with law enforcement and that is “has begun notifying” regulatory authorities about the incident.

A stipulation in the European Union’s General Data Protection Regulation requires firms to report within 72 hours a data breach involving information about EU citizens. It remains unclear precisely when Marriott began alerting regulators about this incident but GDPR threatens fine of up to 4 percent of global revenue of 20 million, whichever is higher, to organizations that violate the rules.

Exactly what constitutes a data breach that must be reported within 72 hours is a subject of ongoing debate in meetings and boardrooms throughout the private sector.

The company said it will begin on Friday notifying guests whose email addresses were in the Starwood database. It also has prepared a call center capable of helping victims in multiple languages.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts