Marriott Hacked: Massive Data Leak Exposes 500 Million Customers—Starwood Hotels Breached Since 2014

Marriott International announced today that a massive breach of its guest reservation database compromised the data of approximately 500 million guests who had made reservations at its Starwood properties.

The company said an unauthorized party "copied and encrypted" data. Marriott found there had been unauthorized access to its Starwood reservation system since 2014.

In a statement, the company said: "For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences."

For some, the information also included payment card numbers and payment card expiration dates. Marriott said that it had reported the breach to law enforcement.

"There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken," the hotel chain said in its statement. "For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.

"We deeply regret that this incident happened," said Arne Sorenson, Marriott's president. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests and using lessons learned to be better moving forward."

Marriott said it received an alert from an "internal security tool" regarding an attempt to tap the Starwood U.S. guest reservation database on September 8.

The leak affected customers who made reservations at Starwood properties.

Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, the Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Marriott values our guests and understands the importance of protecting personal information. For more information on the Starwood guest reservation database security incident, please visit

— Marriott International (@MarriottIntl) November 30, 2018

"We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center," Sorenson said.

"We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."

Starting today, Marriott International said it would begin sending emails "on a rolling basis" to affected guests whose email addresses were in the Starwood guest reservation database.

Marriott International acquired Starwood in September 2016.

What You Need to Know:

What information was stolen?

The guest reservation database includes information about hotel guests who made reservations at Starwood properties, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest ("SPG") account information, dates of birth, gender, arrival and departure information, reservation dates and communication preferences.

Was my account information stolen?

If you made a reservation on or before September 10, 2018, at a Starwood property, data you provided may have been compromised. The Starwood network is kept separate from Marriott's.

How many customers were affected?

Marriott has not finished identifying duplicate information in the database, but believes it contained information on up to approximately 500 million guests who made reservations at a Starwood property on or before September 10. The affected guest reservation database was used only for Starwood reservations. Marriott uses a separate reservation system that is on a different network.