As many as 500 million customers of hotel giant Marriott may have had their personal data compromised, and for an undisclosed number that could have include payment card numbers and expiry dates.

The hotel chain said that those card numbers were encrypted with AES-128, but warned that it could not rule out the possibility that the two components needed to decrypt these numbers were also compromised.

For about 327 million of the 500 million guests who had made a reservation, information includes names, mailing addresses, phone numbers, email addresses, passport numbers, the ‘Starwood Preferred Guest’ account information, date of birth, gender, arrival and departure information, reservation data, and communication preferences.

Guest information dating as far back as 2014 hosted on its Starwood reservation database could be affected. It was not until 8 September this year that the chain received an alert from a security tool about an attempt to access this database.

In a statement posted today Marriott said: “Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorised access to the Starwood network since 2014. Marriott recently discovered that an unauthorised party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”

The resort multinational owns hotel brands such as the W, Sheraton, and Westin