NEW YORK: Marriott International revealed on Friday (Nov 30) that hackers illegally accessed its Starwood reservation database since 2014, potentially exposing personal information on about 500 million guests.
Shares of the company were down 4 per cent at US$117 in premarket trading.
The company said that for 327 million guests, personal information compromised could include some combination of name, mailing address, phone number, email address, passport number, date of birth and Starwood Preferred Guest account information among other personal details.
For some others, the information could include credit card numbers and expiration dates, but those numbers were encrypted, the hotel chain said.
There are two components needed to decrypt the payment card numbers, and at this point, Marriott said it has not been able to rule out the possibility that both were stolen.
UNAUTHORISED ACCESS SINCE 2014
"We've opened an investigation into the Marriott data breach. Additionally, under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet," said Amy Spitalnick, communications director and senior policy advisor, Office of the New York Attorney General.
The company said it learned about the breach after an internal security tool sent an alert on Sep 8.
The company launched a probe and discovered that there had been unauthorised access to the Starwood network since 2014.
It said that an unauthorised party had "copied and encrypted information, and took steps towards removing it".
On Nov 19, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
"We deeply regret this incident happened," said Arne Sorenson, Marriott's president and chief executive officer. "We fell short of what our guests deserve and what we expect of ourselves."
Marriott, which bought Starwood in 2016 for US$12.2 billion to create the world's largest hotel operator, said it had reported the incident to law enforcement and had begun notifying regulatory authorities.
It added that it would send emails to affected guests, starting Friday.
"We are still investigating the situation so we don't have a list of specific hotels. What we do know is that it only impacted Starwood brands," Marriott spokesman Jeff Flaherty told Reuters.
When contacted by Channel NewsAsia, a representative from Marriott International declined to comment further.
Starwood properties include W Hotels, St Regis, Sheraton Hotels and Resorts, as well as Westin Hotels and Resorts.
READ: Cathay says 'most intense' period of data breach lasted months
READ: Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee's data targeted
"We are supporting the efforts of law enforcement and working with leading security experts to improve," said the hospitality giant.
"Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."
POTENTIALLY MILLIONS OF DOLLARS IN LEGAL COSTS
Several companies have suffered data hacks in recent years. The breach could cost Marriott hundreds of millions of dollars in legal costs.
Marriott said on Friday it was too early to estimate the financial impact of the breach and that it would not affect its long-term financial health. The hotel chain said it was working with its insurance carriers to assess coverage.
Hotel groups have of late become a target of hackers, seeking to steal information such as credit card data.
Last year, both InterContinental Hotels Group and Hyatt Hotels Corp were victims of cyberattacks.
Hyatt said it had discovered unauthorised access to payment card information at certain of its locations, affecting 41 properties in 11 countries.
Yahoo said last year all of its three billion accounts were hacked in a 2013 data theft. Attorneys had said the breach sharply increased the legal exposure of its new owner, Verizon Communications.
Altaba, as Yahoo came to be known after Verizon bought it, said it expected to pay a total of US$47 million in litigation expenses to settle related cases.
News of the attack highlights the need for companies to pay close attention on cyber security when making acquisitions.
"Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company," said Jake Olcott, a vice president with cybersecurity firm BitSight.