BETHESDA, Md.–Marriott Hotels said its guest reservation system has been hacked and that the personal information of approximately 500-million guests has potentially been exposed.
According to the company, the data breach affects its Starwood reservation database, a group of hotels it purchased in 2016 that includes the St. Regis, Westin, Sheraton and W Hotels.
The breach has been ongoing for at least four years, according to Marriott, which reported the hackers gained "unauthorized access" to the Starwood reservation system in 2014. It said it had not identified the issue until last week.
"The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it," Marriott said in a statement in a released statement.
According to Marriott, for 327-million people the exposed information includes their names, phone numbers, email addresses, passport numbers, date of birth and arrival and departure information. For millions of others, their credit card numbers and card expiration dates were potentially compromised, the company said, adding it is unable to confirm if the hackers were able to decrypt the credit card numbers.
"We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward," said CEO Arne Sorenson in the statement.
Marriott said it plans to email guests affected by the breach and it has created an informational website. There's also a call center that guests can contact.
The company is also offering guests a free membership to WebWatcher, a personal information monitoring service. It's also telling guests to monitor their loyalty accounts for suspicious activity, change their account passwords and check credit card statements for unauthorized activity.
Marriott-branded hotels include 6,700 properties in more than 129 countries.