As many as 500 million people who made reservations at Starwood properties may have had their personal information accessed in a breach that lasted as long as four years.

The world's largest hotelier said Friday it determined Nov. 19 that a breach had occurred involving the Starwood guest reservation database, which has information on reservations at Starwood properties made on or before Sept. 10, 2018.

A breach that massive would make Marriott's Starwood incident among the largest breaches ever. The 2013 Yahoo breach, which affected as many as 3 billion accounts, remains the largest so far. A separate subsequent Yahoo breach also hit 500 million accounts.

The breach has drawn the attention of legislators and regulators across the U.S. and is expected to attract scrutiny from the European Union due to the global nature and scope of the incident. Marriott stock fell more than 5.5 percent Friday, closing at $115.03.

Marriott said it got an alert Sept. 8 about an attempt to access the Starwood database in the U.S. and enlisted security experts to assess the situation. During the investigation, Marriott said it learned there had been unauthorized access to the Starwood network since 2014.

An unauthorized party had copied and encrypted information from the database and had taken steps toward removing it, Marriott says. The company was able to decrypt the information on Nov. 19 and found that the contents were from the Starwood guest reservation database.

More:Starwood data breach: Here's some ways to protect yourself

More:Dunkin' Donuts says some DD Perks members' accounts may have been hit by data breach

More:USA TODAY's list of the biggest data breaches and hacks of all time

Your Money:Managing your money can be hard. Let our newsletter make it easier.

Marriott has not finished decrypting the duplicated data but says it contained information on as many as 500 million guests who made a reservation at a Starwood property. For about 327 million of them, Marriott says, the data includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.

"This is big ... the biggest threat to U.S. national security that we have ever faced" from data breaches, said Peter Aiken, associate professor of information systems at the Virginia Commonwealth University School of Business.

That's because data from Marriott's massive Starwood breach can be combined with that from earlier breaches such those at Equifax, Target and dating site Ashley Madison, some of which included official government email addresses. Cybercriminals or foreign actors more readily target "people who are vulnerable from a national security perspective," Aiken said.

Marriott faces domestic and international regulatory and legal repercussions, as well as a major hit to its reputation, says Jeff Pollard, vice president and principal analyst at research firm Forrester. The hackers' access appears to go back four years and apparently went undetected during the companies' merger, he said.

"In this case, it means a lot primarily not just because of the amount of data captured but the data obtained by the attacker was a lot of really sensitive data," Pollard said. "It's ripe for identity theft. And it's not just personal but national security. We don't know if the attacker was a cybercriminal or a nation-state."



In addition to federal regulatory inquiries, there will likely be state investigations, too. New York Attorney General Barbara Underwood said Friday on Twitter, "We've opened an investigation into the Marriott data breach. New Yorkers deserve to know that their personal information will be protected."

Also launching an investigation: Illinois Attorney General Lisa Madigan.

Perhaps most important will be the response from the European Union, which six months ago enacted the GDPR (General Data Protection Regulation) with provisions for improved security and privacy policies for EU residents' personal information. The Starwood breach was global, but Marriott has not detailed specifics on what countries were hardest hit.

"The EU is going to come after them with some very severe penalties around this, and this will happen fairly quickly," Aiken said. "I think they are probably going to try use this as an example because the first case should be one to make an impact and get people to sit up and pay attention."

U.S. Senators Mark Warner, D-Va., and Richard Blumenthal, D-Conn., called for U.S. passage of similar national standards. "We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need," he said in a statement on Twitter. "And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”

Any guest who made a Starwood reservation, regardless of whether they are a Starwood Preferred Guest member, may have had their data involved in the breach, Marriott says. For some Starwood guests, the data may also include payment card numbers and payment card expiration dates, but the payment card numbers were encrypted, Marriott says.

Still, Marriott has not been able to rule out the possibility that the breach led to that data being accessed. For the remaining customers, the information was limited to name and possibly other data such as mailing address, email address or other information.

Marriott has notified regulators about the breach and continues to work with law enforcement on the investigation, the company says.

“We deeply regret this incident happened,” Marriott President and CEO Arne Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Marriott completed its $13 billion acquisition of Starwood Hotels and Resorts in September 2016 to make the combined company the largest hotel chain in the world with more than 5,500 hotels at the time. Marriott now has more than 6,700 hotels.

After the merger, members of the Marriott Rewards and Starwood Preferred Guest programs were able to link their accounts. However, Marriott uses a separate reservation system on a different network for Marriott hotels.

Starwood Hotels include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.

Marriott says it will begin on Friday emailing guests whose email addresses are in the database. The company says it will provide free-of-charge online account monitoring software WebWatcher to guests for one year. The service reimburses fraud loss of up to $1 million. U.S. customers who use it will also get fraud consultation services and reimbursement coverage for free.

To enroll in WebWatcher and get additional information about the breach, customers can go to info.starwoodhotels.com.

Instead of stressing cybersecurity and care of the Starwood database during the companies' merger, Marriott now "will suffer for it long after," Forrester's Pollard said. For Marriott and its customers who frequent Starwood hotels, "this is going to have a long tail."

Other steps Marriott recommends to guest potential hit in the breach:

• Monitor your Starwood Preferred Guest account for suspicious activity.



• Change your password. Do not use easily guessed passwords or the same passwords for multiple accounts.



• Review your credit-card statements for unauthorized activity and immediately report any to your bank.



• In the wake of data breaches, consumers should be wary of third parties attempting to gather information by deception, so-called "phishing" attempts, including through links to fake websites. Marriott will not ask you to provide your password by phone or email.



• If you think you may be the victim of identity theft – or your personal data has been misused – immediately contact law enforcement and the Federal Trade Commission. On the FTC's site, it recommends consumers get a free, one-year fraud alert from one of three credit bureaus – Equifax, Experian, or TransUnion.

Follow USA TODAY reporter Mike Snider on Twitter: @MikeSnider.

