(Reuters) – Marriott International said on Friday that hackers stole some 500 million records from Starwood Hotels' reservation system in an attack that began four years ago, revealing personal data from customers including some payment card numbers.
The logo of the Marriott Hotel can be seen on April 9, 201
The shares of the company sank by 4 percent to 117 US dollars in pre-market trading.
The hack started in 2014, before Marriott offered to purchase Starwood for $ 12.2 billion in November 2015 and acquired brands such as Sheraton, Ritz Carlton, and the Autograph Collection to create the world's largest hotel operator. The company completed the Starwood deal in September 2016.
Marriott said for 327 million guests, the data could include passport details, phone numbers, and email addresses. For some others, credit card information may be included.
Marriott claimed to have learned about the breach for the first time after an internal security tool sent a warning on September 8.
"We have initiated an investigation into the Marriott violation. Under New York law, Marriott was required to notify our office as soon as the breach was discovered. So far, they have not done so, "said Amy Spitalnick, Communications Director and Senior Policy Advisor at the New York Procurator's Office.
Marriott said that it would inform the affected guests from Friday on the violation and have reported this to law enforcement agencies and regulators.
Several companies have suffered data hacks in recent years. The breach could cost Marriott hundreds of millions of dollars in legal costs.
Yahoo said last year that all its three billion accounts had been hacked into a data theft in 2013. Lawyers said the infringement had dramatically increased the legal involvement of its new owner, Verizon Communications Inc.
Altaba Inc., as Yahoo became known after it acquired Verizon and said it expected to pay $ 47 million in litigation regulate related cases.
The news of the attack highlights the need for businesses to pay special attention to cybersecurity adoption.
"Understanding the cybersecurity attitude of an investment is critical to assessing the value of the investment and addressing the reputational, financial and legal damage that the company might encounter," said Jake Olcott, vice president of cybersecurity Company BitSight.
Marriott said Friday it was too early to assess the financial impact of the infringement and it would not affect its long-term financial health. The hotel chain said it is working with its insurance carriers to evaluate the coverage.