The personal information of as many as 500 million people staying at Starwood hotels has been compromised as Marriott says it has uncovered unauthorised access taking place within its Starwood network since 2014.
The company said on Friday that credit card numbers and expiration dates of some guests may have been taken.
For about 327 million people, the information exposed includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.
Starwood operates hotels under the names: W Hotels, St Regis, Sheraton Hotels and Resorts, Westin Hotels and Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Meridien Hotels and Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.
For some guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.
Marriott said there was a breach of its database in September, which had guest information related to reservations at Starwood properties on or before September 10.
Marriott discovered through the investigation that someone copied and encrypted guest information and tried to remove it.
Chief executive Arne Sorenson said in a prepared statement on Friday that Marriott is still trying to phase out Starwood systems.
Marriott has set up a website and call centre for anyone who thinks that they are at risk, and on Friday will begin sending emails to those affected.
Marriott and Starwood merged two years ago and attempts to combine the loyalty programs for the hotels have been marred by technical difficulties.