The world's largest hotel chain, Marriott International, revealed Friday that a breach of its Starwood reservation system has exposed personal and financial information of 500 million guests.
There had been "unauthorized access" to the Starwood database since 2014, but Marriott said it wasn't alerted of a security issue until about two months ago. On Nov. 19, they were able to determine that the data came from the Starwood guest database, the company said.
Any guests who made reservations at Starwood properties on or before Sept. 10 may have been affected. The breach did not involve Marriott-branded hotels.
The crisis quickly emerged as one of the biggest data breaches on record.
"On a scale of 1 to 10 and up, this is one of those No. 10 size breaches. There have only been a few of them of this scale and scope in the last decade," said Chris Wysopal, chief technology officer of Veracode, a security company.
There are 11 Starwood-affiliated flags, including Aloft, Westin, Sheraton, St. Regis and W Hotels.
Just one Charleston property, the Aloft Hotel in North Charleston, is a part of the brand. Eight other Starwood hotels are throughout South Carolina.
Sheraton has two properties in Myrtle Beach and one in downtown Columbia. Aloft holds two properties in Columbia and one in Greenville. Westin-branded hotels are in Greenville and Hilton Head.
Marriott estimates that, for 327 million guests, personal information such as phone numbers, passport numbers, birth dates, Starwood Preferred Guest account information and reservation dates were exposed.
For an unknown number of those consumers, payment card numbers and expiration dates were also collected. Though that information is encrypted, Marriott said it "has not been able to rule out the possibility" that hackers had the tools needed to decrypt the numbers.
For the remaining customers, information was limited to names and sometimes mailing or email addresses, the company said.
Marriott CEO Arne Sorenson said in a written statement that the lodging giant is working to phase out the Starwood system and "accelerate the ongoing security enhancements" to its network.
The company has set up a website with information about the breach, and said that customers who may have been affected will be notified by email.
Loyalty members should monitor their Starwood Preferred Guest accounts for suspicious activity, and all customers are advised to check credit card statements for unauthorized purchases, Marriott said.
With so many types of information exposed, this breach — second only to Yahoo's in terms of customers affected — has many layers, said Greg Sparrow, a cyber security policy expert at the consulting firm CompliancePoint.
"The passport number is likely where you'll find the most headaches and greatest risk from a consumer perspective," Sparrow said. The information can be used to steal a person's identity and is much more valuable, from a hacker's perspective, than credit card information, he said.
Passport numbers are often requested by hotels outside the U.S. because U.S. driver's licenses are not accepted there as identification. The numbers could be added to full sets of data about a person that bad actors sell on the black market, leading to identity theft.
And while the credit card industry can cancel accounts and issue new cards within days, it is a much more difficult process, often steeped in government bureaucracy, to get a new passport.
Ted Rossman, an analyst from CreditCards.com, recommended that affected Starwood customers freeze their credit, which would prevent anyone from fraudulently opening accounts in their names.
Marriott International acquired Starwood Hotels and Resorts for $13 billion in 2016, making it the world's largest lodging chain. More than 7,200 hotels worldwide are currently under Marriott ownership or management with many more in the pipeline, including several properties in the Charleston area.
In August, Marriott initiated the merge of the hotel chains' loyalty programs. That has had its own technical issues, including complaints from Starwood loyalty customers of incorrect point balances and unrecorded stays.
Marriott said in a filing that it was premature to estimate the financial impact of the breach announced Friday. It noted that it does have cyber insurance, and is working with its insurance carriers to assess coverage.