Marriott International said on Friday that a guest reservation database for its Starwood Hotel brand was breached, potentially revealing information on some 500 million guests.
The company said its investigation showed that an unauthorized party had copied and encrypted the information, and that there had been unauthorized access to the Starwood network since 2014.
The company said it had taken steps to rectify the situation. Marriott was not immediately available for further comment.
According to Marriott, the information includes a combination of name, postal address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth and gender, among other personal information, Marriott said.
For some, the information also includes payment card numbers and expiration dates, but those numbers were encrypted, the hotel chain said.
There are two components required to deciphering payment card numbers, and at this point, Marriott said it has been unable to rule out the possibility that both were stolen.
The company said it had reported this incident to the police and continues to support their investigation and has already started notifying regulatory authorities.
Marriott bought Starwood in 2016.