One analyst referred to the breach as "one of the top 5 worst hacks that directly impacts the general public."
Marriott issued a statement Friday admitting this data breach goes back to 2014. The hotel chain says they learned about the data breach back in early September, but are only now starting to notify their guests.
"You expect privacy. And that's something they didn't deliver on, you know. It's upsetting," says a W hotel guest, who only wanted to be identified by his first name Matt.
Marriott values our guests and understands the importance of protecting personal information. For more information on the Starwood guest reservation database security incident, please visit https://t.co/NWd6Dg2oOQ.— Marriott Internat'l (@MarriottIntl) November 30, 2018
According to Marriott, hackers copied and then encrypted the personal information of possibly 500 million guests who made reservations at Marriott's Starwood properties. Those include places like the W Hotel, the St. Regis and Sheraton Hotels and Resorts. (Full list of properties stated below).
Hackers got names, addresses, email accounts, date of birth, passport numbers, and in some cases, credit card numbers.
In their statement Marriott says, "There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken."
"Very few of us are likely to be able to go back four years to check every credit card and bank statement. So, that makes it harder to detect a possible fraud," explains Larry Magid, tech analyst and CEO of ConnectSafely.Org.
RELATED: What to do if you think you might be impacted by the Marriott data breach
He calls this a deliberate breach by sophisticated criminals who know how to hide their tracks.
"So, unless (Marriott) was proactively looking with forensic computer people, they must have just simply missed it," he says.
Meanwhile, there is still no proof of any information being sold, but Marriott still doesn't know what all was taken.
McCoy says another issue is that this could bring out a second set of scammers, who ask for personal information pretending to be Marriott related to this breach. Analysts advise either dealing directly with Marriott through their website or by calling the hotel chain.
California residents can contact the hotel directly to ask about their information by email at firstname.lastname@example.org, or by calling (877)-273-9481.
Marriott is working to identify duplicate information but said that the breach could impact up to 500 million guests. The hotel company said it is supporting law enforcement efforts.
"Marriott deeply regrets this incident happened," reads a statement in the company's press release. "From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts."
There is more information from Marriott and answers to frequently asked questions about the breach here.
These are the hotels that are part of Marriott's Starwood properties:
- W Hotels
- St. Regis
- Sheraton Hotels & Resorts
- Westin Hotels & Resorts
- Element Hotels
- Aloft Hotels
- The Luxury Collection
- Tribute Portfolio
- Le Méridien Hotels & Resorts
- Four Points by Sheraton
- All Design Hotels that participate in the Starwood Preferred Guest (SPG) program
- Starwood branded timeshare properties are also included