The stock dropped 5.6% in pre-market trading in the wake of the revelation.
The illegal access has been active since 2014. Bethesda, Maryland-based Marriott only learned of the data theft on Nov. 19.
Brands involved include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) program, as well as Starwood-branded timeshare properties.
Properties under the Marriott name aren’t on the list because those reservation systems were separate and on their own networks.
Potentially affected are people who stayed at a Starwood property on or before September 10, 2018. Of the 500 million guest records, 327 million included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, birthdate, gender, arrival and departure information, reservation date, and communication preferences.
An undisclosed number also included encrypted payment card numbers along with expiration dates. However, the company hasn’t been able to rule out that the thieves obtained enough information to decrypt the numbers.
The company began sending emails today to people whose data may have been obtained. Marriott (MAR) has established a dedicated website and call center for people who may have been affected. It will also offer an alert service that monitors hacker Internet sites.