Marriott says Starwood data breach could affect 500 million guests

Guest records were stolen from Starwood's reservation database.

Starwood Hotels has been hit by another data breach, the third such incident in as many years. Parent Marriott today revealed that the records of 500 million guests have been stolen from Starwood's guest reservation database. The hotel chain says it determined on November 19th that an "unauthorized party" had accessed the data as early as 2014.

Around 327 million of those records included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Worse still, Marriott said an unknown amount contained encrypted credit card data, and has "not been able to rule out" that both components required to decrypt the data wasn't also taken.

"We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center," the company said in a statement. "We will also continue to support the efforts of law enforcement and to work with leading security experts to improve." It added that it is "phasing out" Starwood systems as part of its ongoing security work.

Marriott completed its takeover of Starwood Hotels & Resorts -- the world's biggest hotel chain -- in 2016, handing it 5,700 properties, spanning 1.1 million rooms, in 110 countries. Its chains include W Hotels, St. Regis, Sheraton, Westin, Element and more. Marriott said that its own hotels were not affected by the breach as its reservation system is on a different network.