The Marriott International hotel chain said on Friday that the database of its Starwood reservation system had been hacked and that the personal details of up to 500 million guests going as far back as 2014 had been compromised.

The hotel group, which runs more than 6,700 properties around the world, was informed in September about an attempt to access the database, and an investigation this month revealed that unauthorized access had been made on or before Sept. 10, Marriott said in a statement.

The hotel chain said that personal details including names, addresses, dates of birth, passport numbers, email addresses and phone numbers for hundreds of millions of guests may have been compromised.

The investigation also found that an “unauthorized party had copied and encrypted information, and took steps toward removing it,” the statement said.

Hackers also obtained encrypted credit-card information for some customers, but it was unclear if the hackers would be able to use those payment details.

Marriott said it wasn’t sure how many passport numbers and dates of birth were stolen but said that it was a “subset” of the larger number of affected consumers, since this information is not a part of every reservation.

Richard Gold, head of security engineering at the cybersecurity firm Digital Shadows, said the breach ranks among the largest of consumer data, on par with breaches at Yahoo and the credit-scoring giant, Equifax.

“This is an incredibly big number,” Mr. Gold said.

He said hotels are an attractive target for hackers because they hold a lot of sensitive information, including credit card and passport details, but often don’t have security standards as tough as those of more regulated industries, like banking.

“We deeply regret this incident,” Arne Sorenson, Marriott’s president and chief executive officer, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

To enroll, customers should first click their country of residence at the bottom of Marriott’s information page. On the next page, on the right side halfway down, click “I believe I am affected by the Starwood Reservation Database security incident.”

Marriott, based in Bethesda, Md., is the world’s largest hotel chain, having bought Starwood Hotels and Resorts Worldwide two years ago for $13.6 billion. The merger brought brands like Westin, W and Sheraton under the same roof, and prompted questions about whether the brands being acquired would lose some of their cool factor.

Customers also complained about problems with rewards programs after efforts to merge data from Starwood’s rewards program into Marriott’s left the records of millions of customers in limbo for weeks.

The company has also been grappling in recent weeks with strikes by thousands of workers, who walked out of 49 hotels in nine cities to call for better health care, wages and protection from sexual harassment.

In August, the Justice Department indicted members of an Eastern European cybercrime ring called Fin7. Hotel chains were among its targets.

In 2015, Starwood disclosed that the point of sale systems at some of its hotels had been hacked, resulting in the loss of payment card details.

Knowing the culprits behind the latest breach would help investigators know what the information will be used for, Mr. Gold said. Passport information is particularly useful to criminals for identity theft, he said. A nation state is more likely to use the information for intelligence purposes, such as learning about the whereabouts of important people.


قالب وردپرس