The Maryland-based Marriott International hotel chain — including the Starwood, W, Ritz-Carlton and Sheraton hotel groups, as well as many other boutique chains — announced the breach on Friday, acknowledging that an estimated 500 million customers are affected, as passport numbers, email addresses, credit card numbers, names and mailing addresses, have been stolen, according to Bloomberg.
Appearing to have originated in 2014 at Starwood Hotels some two years prior to the brand's acquisition by Marriott, "the existing breach went undetected during the merger and for years afterward," noted a Washington Post report.
A Marriott statement claimed that the longstanding unauthorized access to Starwood's guest reservation database was confirmed November 19, although a public acknowledgement was not made until November 30.
According to reports, hackers copied encrypted data from Starwood's reservation network. After Marriott discovered the breach, the company realized that about 327 million of the 500 million total number of compromised users had "some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences," cited by Ars Technica.
The world's third largest hotel chain noted that an unknown amount of credit card numbers were stolen and acknowledged that, in spite of the use of the AES-128 encryption standard, hackers likely gained access to the keys for the decrypt code during their exploits.
"We deeply regret this incident happened," stated Marriott president and chief executive officer Arne Sorenson, in a corporate news release.
"We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward," the statement added.
It is not clear whether the breach was a result of hackers seeking to acquire and resell sensitive data or if nation-state cyberspies were surveilling guests, "including possibly diplomats, business people, or intelligence officials as they moved around the globe," cited by the Washington Post.
The hotel chain's proprietary WiFi networks are now thought to have been at the heart of the attack, according to experts. Prior to its acquisition by Marriott, Starwood suffered significant customer backlash after it attempted to block guests from using personal hotspots as a means to force onsite pay-for-connectivity schemes. In 2015, the Federal Communications Commission (FCC) ordered Marriott and other chains to stop the practice.