Marriott International said on Friday that a guest reservation database of its Starwood Hotel brand was breached, potentially exposing information on about 500 million guests.
The company said its investigation showed that an unauthorized party had copied and encrypted information, and that there had been unauthorized access to the Starwood network since 2014.
The company said it had taken steps to rectify the situation. Marriott was not immediately available for further comments.
For about 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender among other personal details, Marriott said.
For some, the information also includes payment card numbers and expiration dates, but those numbers were encrypted, the hotel chain said.
There are two components needed to decrypt the payment card numbers, and at this point, Marriott said it has not been able to rule out the possibility that both were stolen.
The company said it reported this incident to law enforcement and continues to support their investigation and has already begun notifying regulatory authorities.
Marriott bought Starwood in 2016.