Around 327 million of those records included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Worse still, Marriott said an unknown amount contained encrypted credit card data, and has "not been able to rule out" that both components required to decrypt the data wasn't also taken.
"We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center," the company said in a statement. "We will also continue to support the efforts of law enforcement and to work with leading security experts to improve." It added that it is "phasing out" Starwood systems as part of its ongoing security work.
Marriott completed its takeover of Starwood Hotels & Resorts -- the world's biggest hotel chain -- in 2016, handing it 5,700 properties, spanning 1.1 million rooms, in 110 countries. Its chains include W Hotels, St. Regis, Sheraton, Westin, Element and more. Marriott said that its own hotels were not affected by the breach as its reservation system is on a different network.