The massive breach is "easily in the top five for worst hacks that directly impact the general public," Jim McCoy, creator of the Vektor home cybersecurity device, told ABC News.
The breach involves unauthorized access to the Starwood system that has been happening since 2014, according to a press release. Marriott discovered the breach on Sept. 8, 2018 and said that reservations that are impacted took place on or before Sept. 10.
Marriott values our guests and understands the importance of protecting personal information. For more information on the Starwood guest reservation database security incident, please visit https://t.co/NWd6Dg2oOQ.— Marriott Internat'l (@MarriottIntl) November 30, 2018
Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. The investigation only identified unauthorized access to the separate Starwood network, not the Marriott network, the company said.
For about 327 million of the impacted guests, the information involved in the breach includes, according to Marriott, "some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences." For other guests, the information was more limited.
As for credit card information, Marriott "has not been able to rule out the possibility" that it was also taken for some customers. The hotel company explained that two components are needed to decrypt the payment numbers for the cards, and Marriott is still determining whether the numbers were decrypted.
Marriott is working to identify duplicate information but said that the breach could impact up to 500 million guests. The hotel company said it is supporting law enforcement efforts.
"Marriott deeply regrets this incident happened," reads a statement in the company's press release. "From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts."
What to do if you think you might be impacted
If you stayed at a Starwood property, monitor your card statements and your Starwood Preferred Guest account for suspicious activity. Additionally check your inbox, as emails with instructions began going out Friday to those whose information may have been taken.
However, cyber security experts warn not to click on a link in an email if you're not positive it's from Marriott (they will be sending from the address firstname.lastname@example.org).
"These sort of events also bring out a second set of scammers who will be sending phishing emails pretending to be Marriott and asking users to either 'confirm' details or enter details to see if they are on the list," McCoy said. "The info they will be asked about will then be used to steal their identity."
For those who were potentially impacted, Marriott is offering a chance to enroll in WebWatcher, which monitors sites that share personal information and sends an alert if yours has been shared.
If you would like to learn more about the incident from Marriott, contact their U.S. call center at 877-273-9481.