Marriott says its guest reservation system has potentially exposed the personal information of up to 500 million of its guests. The international hotel chain reported the breach today, confirming that its Starwood reservation system had been hacked. The data at risk goes back to at least 2014.

“The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it,” the Marriott International said in its statement. “We deeply regret this incident happened.”

Related Yahoo Has Agreed to Pay $50 Million to Around 200 Million Data Breach Victims in US and Israel

Highlights: Marriott breach was discovered on November 19; hackers had access to the system since 2014; payment data could also be at risk

The hotel chain’s internal investigation found that an attacker had managed to access its Starwood network since 2014. In September, the company discovered that an unauthorized party had recently copied and encrypted information, and then tried to remove the data. It was on November 19 when Marriott finally decrypted the data to discover that the contents were from the Starwood guest reservation database.

Marriott said the guest reservation database contained guest information relating to reservations at Starwood properties on or before September 10, 2018. [Starwood brands include W Hotels, St. Regis, Sheraton Hotels Resorts, Westin Hotels Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.]

For around 327 million guests, the exposed data includes at least some of the following records:

Related 50 Million Facebook Profiles Harvested Without User Consent – Data Monster Chose NOT to Alert Victims Is Trying to Threaten Reporters

• name
• mailing address
• phone number
• email address
• Starwood Preferred Guest (“SPG”) account information
• passport number
• date of birth
• gender
• reservation date
• arrival and departure information

For some, the exposed data also includes payment data, however, the company is yet to confirm that. The company said that “there are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

Marriott, the world’s largest hotel chain, bought Starwood Hotels and Resorts Worldwide two years back for $12.2 billion. The merger brought major names Sheraton under Marriott’s umbrella.

“We fell short of what our guests deserve and what we expect of ourselves,” Marriott’s CEO Arne Sorenson said in a statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.” The hotel chain’s stock has appeared to take a hit, falling nearly 6% in premarket trading.

Marriott has established a dedicated website (external link) to answer questions about this incident. The company added that it will start notifying customers whose records were in the database “on a rolling basis” starting today.

[Update]: Breach doesn’t affect Marriott-branded hotels

Responding to our query, Tracey Schroeder, VP, Global Consumer Public Relations at Marriott, clarified that the breach does not affect Marriott-branded hotels.

“The guest reservation database that is involved [in the incident] was only used for Starwood reservations,” Schroeder confirmed in an emailed statement to Wccftech. “Marriott uses a separate reservation system that is on a different network.”