Marriott International has said hackers stole about 500 million records from its Starwood Hotels reservation system in an attack that began four years ago, exposing personal data of customers including some payment card numbers.
The hack began in 2014, before Marriott offered to buy Starwood for $12.2 billion in November 2015, acquiring brands including Sheraton, Ritz Carlton and the Autograph Collection to create the world’s largest hotel operator.
The company closed the Starwood deal in September 2016. Marriott said for 327 million guests, compromised data could include passport details, phone numbers and email addresses. For some others, it could include credit card information. Marriott said it first found out about the breach after an internal security tool sent an alert on Sept. 8.
“We’ve opened an investigation into the Marriott data breach. Additionally, under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet,” said Amy Spitalnick, Communications Director and Senior Policy Advisor, Office of the New York Attorney General. Marriott said it would inform affected guests about the breach, and that it had reported it to law enforcement and regulatory authorities.
Several companies have suffered data hacks in recent years. The breach could cost Marriott hundreds of millions of dollars in legal costs. Yahoo said last year all of its three billion accounts were hacked in a 2013 data theft. Attorneys had said the breach sharply increased the legal exposure of its new owner, Verizon Communications Inc. Altaba Inc, as Yahoo came to be known after Verizon bought it, said it expected to pay a total of $47 million in litigation expenses to settle related cases. News of the attack highlights the need for companies to pay close attention to cyber security when making acquisitions.