Marriott is revealing a massive database breach today, affecting up to 500 million guests of its Starwood hotels the company first acquired in 2016. A security investigation has concluded that there was “unauthorized access” to a database holding hotel guest records. “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014,” says a statement from the company. The Starwood security breach affects a number of branded hotels owned by Marriott, including W Hotels, Sheraton, St. Regis, Westin, and more.

The breach includes 327 million records of “some combination” of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

Marriott isn’t providing an exact number, but “some” hotel guests will have had their payment card information leaked. Marriott did encrypt this information using Advanced Encryption Standard encryption (AES-128), but the company notes both components needed to decrypt payment card numbers may have been stolen.

Marriott’s database breach is troubling

Database breaches are far too common, but it’s unusual to hear a large company not detect unauthorized access to its network and key customer database for a period of four years. Marriott’s carefully worded statement doesn’t identify who obtained access and how. That’s particularly troubling, as if this wasn’t a hack or full security breach then it could have been sloppy security that let anyone access this information and clone the database. That’s backed up by the fact Marriott reveals it discovered the database breach through a copied and encrypted version. Whether this copy is public, or for sale on the dark web, remains vague. There are also signs Marriott could have been breached in the past.

“We deeply regret this incident happened,” says Marriott CEO Arne Sorenson. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Marriott has reported this breach to law enforcement, and has begun notifying regulators. The company has also set up a dedicated website and call center, and is notifying affected guests by email today. Marriott is also offering free access to WebWatcher to help protect against identity fraud. We’ve reached out to Marriott to clarify some of the troubling aspects of this database breach, and we’ll update you accordingly.

The New York Attorney General’s Office announced today that it would be investigating the breach. “We’ve opened an investigation into the Marriott data breach,” Amy Spitalnick, communications director and senior policy advisor said to The Verge. “Additionally, under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet.”

Updated 11/20/18 9:42 a.m.: Updated to include a statement from the NY Attorney General's Office.