Marriott International (MAR) said Friday that it is working to resolve a massive data breach that could have affected as many as 500 million customers that could have included passport numbers and credit card details.
The news pulled shares down by 5.59% to $115.03 by the market's close.
Marriott said the breach, which has been reported to law enforcement officials, was first alerted on September 8 and involved its Starwood guest reservation data base. On November 19, the company said, it determined there had been unauthorized access to the data going back to at least 2014.
"We deeply regret this incident happened," said CEO Arne Sorenson. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
"We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center," he added. "We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."
Marriott said that data linked to around 327 million guests includes personal details such as name, date of birth, mailing and emailing address and phone numbers as well as passport numbers and Starwood Preferred Guest account information.
"For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted," Marriott said.
"There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken," Marriott said. "For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information."