WASHINGTON - As many as 500 million guests at Marriott International hotels may have been victims of a hack that in most cases pilfered passport numbers or other key identifying data, the company announced Friday.
Marriott said it was alerted on September 8 that there had been an attempt to hack their reservation database in the United States.
The hack is among the largest ever disclosed, prompting a big drop in Marriott shares and an investigation by New York Attorney General Barbara Underwood, who said on Twitter that "New Yorkers deserve to know that their personal information will be protected."
The company discovered "that there had been unauthorized access to the Starwood network since 2014," which compromised personal and financial information.
The probe found "an unauthorized party had copied and encrypted information and took steps towards removing it."
After decrypting the information, the company found on November 19 "that the contents were from the Starwood guest reservation database."
Hotel brands in the Starwood network include Sheraton, Westin, Four Points and W Hotels. Marriott completed a $13.6 billion acquisition of Starwood in 2016. The deal was announced in November 2015.
"We deeply regret this incident happened," Marriott chief Arne Sorenson said in a statement. "We fell short of what our guests deserve and what we expect of ourselves."
Marriott said hackers accessed information like names, addresses and dates of birth from most of the affected customers but could not rule out that they were also able to access some encrypted credit card information.
After reaching the deal with Marriott, Starwood disclosed in November 2015 that it suffered a hack on some hotels in North America, later determining that malware affected restaurants and gift shops but that there was no evidence the infiltration netted key consumer data, such as social security numbers or debit card codes.
Marriott's statement did not mention the earlier Starwood disclosure.
Marriott said it would reach out to victims of the hack and was offering support to those affected including free, one-year enrollment in WebWatcher, a service which monitors internet sites where personal data is shared.
Marriott also is working with law enforcement and security experts to tighten security on its system.
It is the latest case of massive breaches that have compromised personal data and can cause years of headaches for victims, who often face serious legal and financial repercussions.
Marriott said it was "premature" to estimate the financial hit from the breach and that it carried cyber insurance that could take care of some of the costs.
"The company does not believe this incident will impact its long-term financial health," Marriott said in a securities filing. "As a manager and franchisor of leading lodging brands, the company generates meaningful cash flow each year with only modest capital investment needed to grow the business."
Shares of Marriott slumped 5 percent to $115.81 in mid-morning trading.