In a filing Friday morning with the U.S. Securities and Exchange Commission, Marriott International Inc. (NASDAQ: MAR) revealed that up to 500 million guests at Starwood properties may have had personal data exposed in an attack against Starwood’s guest reservation database. Marriott, which completed its $13 billion acquisition of Starwood in September 2016, noted that unauthorized access to the database first occurred in 2014.
For about 327 million of the affected guests, the compromised information includes some or all of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For “some” guests the compromised information included encrypted payment card numbers and expiration dates, and for still others, compromised data was “limited to name and sometimes other data such as mailing address, email address, or other information.”
The company said it discovered an attempt to access the Starwood guest database on September 8 and that during a subsequent investigation learned that unauthorized access had been occurring since 2014 and that the company had “recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”
Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties were also affected.
The company has created a website (info.starwoodhotels.com) and a call center to provide additional information and to answer questions from customers. Marriott is also offering free enrollment for one year in a web monitoring program.
Starwood’s data breach runs afoul of the European GDPR regulation and Marriott faces a penalty of up to 4% of global annual revenue if the breach is found to have been the result of bad record-keeping practices.
Shortly after Friday’s opening bell, Marriott stock traded down about 5%, at $115.10 in a 52-week range of $106.96 to $149.21.