Hackers have reportedly stolen about 500 million records from Marriott International’s Starwood Hotels reservation system in an attack that began four years ago, Reuters reported.
The breach has exposed the personal data of customers including some payment card numbers.
The hack reportedly began in 2014, before Marriott offered to buy Starwood for $12.2 billion in November 2015, acquiring brands including Sheraton, Ritz Carlton and the Autograph Collection to create the world’s largest hotel operator. The company closed the Starwood deal in September 2016.
Marriott said for 327 million guests, compromised data could include passport details, phone numbers and email addresses. For some others, it could include credit card information, the Reuters report noted.
Marriott said it first found out about the breach after an internal security tool sent an alert on 8th September.
“We’ve opened an investigation into the Marriott data breach. Additionally, under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet,” said Amy Spitalnick, Communications Director and Senior Policy Advisor, Office of the New York Attorney General.
Marriott said it would inform affected guests about the breach, starting Friday, and that it had reported it to law enforcement and regulatory authorities.
A class action lawsuit has reportedly been filed against the hotel chain and cybersecurity experts say the whole ordeal could have been detected years ago.