Marriott data breach: New York Attorney General opens investigation into hack that may have affected 500 million guests

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

New York’s Attorney General has launched an investigation into a major data breach impacting the global hotel chain Marriott.

Officials believe as many as 500 million guests who have stayed at Marriott hotels over the years could have been affected in the security breach, which may be among the largest on record.

“We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said in a prepared statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

In a tweet Friday, Attorney General Barbara Underwood said residents need to know that their personal information is safe after Marriott revealed unauthorized access to data within its Starwood network has been taking place since 2014 in what may be among the largest data breaches on record.

Marriott acquired Starwood in 2016 and the process of merging its computer system with Starwood computers has been marred by technical glitches.

Email notifications to those who may have been affected will begin rolling out Friday. While the breach affected “approximately 500 million guests” who made a reservation at a Starwood hotel, some of those records could include a single person who booked multiple stays. The company manages more than 6,700 properties across the globe.

The company said credit card numbers and expiration dates of some guests may have been taken. For as many as two-thirds of those affected, data exposed could include mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.

Asked for more details on the 500 million number, Marriott spokesman Jeff Flaherty said Friday that the company has not finished identifying duplicate information in the database.

An internal security tool signalled a potential breach in early September, but the company was unable to decrypt the information that would define what data had potentially been exposed until last week.

Marriott, based in Bethesda, Maryland, said in a regulatory filing that it’s premature to estimate what financial impact the data breach will have on the company. It noted that it does have cyber insurance, and is working with its insurance carriers to assess coverage.

The Starwood breach stands out among even the largest security hacks on record. Hilton had two separate data breaches that exposed more than 350,000 credit card numbers. One breach began in November 2014 and another in April 2015. Yahoo had a data breaches in 2013 and 2014 that impacted about 3 billion of its accounts. Target also had an incident in 2013 that affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. Last year, Equifax disclosed a data breach that affected more than 145 million people.

Additional reporting by AP.