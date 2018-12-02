This Feb. 1, 2010, file photo, shows the Westin Philadelphia hotel in Philadelphia. The information of as many as 500 million guests at Starwood hotels has been compromised and Marriott said that it's discovered that unauthorized access to data within its Starwood network has been taking place since 2014. The company said Friday, Nov. 30, 2018, that credit card numbers and expiration dates of some guests may have been taken. (AP Photo/Matt Rourke, File)

NEW YORK -- The data stolen from the Marriott hotel empire in a huge breach is so rich and specific it could be used for espionage, identity theft, reputational attacks and even home burglaries, security experts say.

Hackers stole data on as many as 500 million guests of former Starwood chain properties over four years, including credit card and passport numbers, birth dates, phone numbers and hotel arrival and departure dates.

It is one of the biggest data breaches on record. By comparison, last year's Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.

The affected reservation system could be extremely enticing to nation-state spies interested in the travels of military and senior government officials, said Jesse Varsalone, a University of Maryland cybersecurity expert.

"There are just so many things you can extrapolate from people staying at hotels," he said.

The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were threatened.

Email notifications for those who may have been affected begin rolling out Friday.

Security analysts were especially alarmed to learn of the breach's longevity. Marriott said it detected the breach Sept. 8 but was unable to determine until last week what data had possibly been exposed -- because the thieves used encryption to remove it in order to avoid detection.

Marriott said it did not yet know how many credit card numbers might have been stolen.

Marriott said the stolen credit card information was encrypted but the hackers may have obtained the "two components needed to decrypt the payment card numbers." It said it cannot "rule out the possibility that both were taken."

For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest account information.

