For roughly two-thirds of the guests who were possibly affected, an unauthorized party may have had access to names, addresses, phone numbers, email addresses, passport numbers and travel details, Marriott said Friday. In some cases, the company said, the information also included payment-card information. Marriott said payment-card numbers are usually encrypted, though it could not rule out that card information was stolen.
“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward,” Marriott Chief Executive Arne Sorenson said in a news release.
The breach only impacted Starwood hotel brands. The Starwood reservation system still exists, a Marriott spokeswoman said. However, by the end of the year Marriott will have one reservation system, she said.
Marriott said its internal security tool alerted it of a potential breach to its U.S. database on Sept. 8. After an investigation, the company found that the Starwood guest database may have been compromised since 2014, which precedes Marriott’s acquisition of Starwood. The database contained information for guests who made reservations on or before Sept. 10.
The company found the unauthorized party had copied and encrypted information from the database, and had attempted to steal it. However, it wasn’t until Nov. 19 that Marriott was able to decrypt the information to find out what the contents of the breach were.
Starwood’s brands include Sheraton, W Hotels, Westin, Le Méridien, Four Points by Sheraton, Aloft, St. Regis, Element, The Luxury Collection, Tribute Portfolio and Design Hotels.
Marriott said it has been working with law enforcement and regulatory authorities regarding the breach.
A spokeswoman for Federal Bureau of Investigation said the FBI is tracking the situation.
Hotel chains have been hit by a wave of data breaches in recent years, often with hackers trying to steal customer credit- and debit-card information. In 2015, Starwood said hackers had stolen payment-card information during a data breach that lasted nearly eight months at 54 locations. Hilton Worldwide Holdings Inc. and Trump Hotels have also said hackers had stolen information.
The Marriott hack is one of the largest data breaches ever disclosed, measured by the number of individuals potentially affected. Only a 2013 breach of Yahoo AABA that affected three billion people, nearly the entirety of Yahoo’s user base, may be bigger, security experts said. Another hack of Yahoo that occurred in 2014 has an impact on roughly 500 million people.
Hackers often root through computer networks for years without detection. Remaining hidden for so long can make investigating a breach more difficult, as companies often don’t retain their full history of systems and network-traffic logs, said Blake Darche, co-founder and chief security officer at the cybersecurity company Area 1 Security.
The compromise of passport information could be the most significant aspect of the Marriott breach, particularly if it was carried out by a state-sponsored actor for intelligence purposes, said Mr. Darche, a former official with National Security Agency.
Passport numbers are often used to confirm a guest’s identity at check in, and they are coveted by criminals, said Avivah Litan, a senior analyst with Gartner Inc.
“If you’re signing up for a new loan, if you’re renting a car in a foreign country, if you’re opening a bank account—you always have to present identity documents,” Ms. Litan said. The passport is “a standard identity document that’s used globally for identity verification,” she said.
Marriott said it would begin on Friday notifying affected guests whose email addresses were in the Starwood database. It has set up a website and call center to answer questions about the breach. The company is also providing guests with the chance to enroll in WebWatcher, a service that monitors internet sites where personal information is shared, for free for one year.
“We are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network,” Mr. Sorenson said.
Marriott completed the $13.6 billion acquisition of Starwood Hotels & Resorts in 2016. Marriott has had problems since the acquisition with integrating its technology systems with those from Starwood. Travelers have reported problems with hotel stays being credited to loyalty accounts and have complained about customer service not helping when issued were identified.
In a Friday regulatory filing, Bethesda, Md.-based Marriott said that it couldn’t yet estimate the financial impact of the data breach. The company, which carries cyber insurance, said it is working with its insurance carriers to assess coverage and it will disclose costs later.
“The company does not believe this incident will impact its long-term financial health,” Marriott said in the filing.
Shares in Marriott fell 3.6% to $117.50 in premarket trading.
Marriott has more than 6,700 properties under 30 hotel brands, including the Ritz-Carlton and Renaissance.