Data of about 500 million Starwood clients may have been compromised in a breach that might have happened since 2014, according to the advisory posted by Marriott International.

The investigation revealed that the incident happened “on or before September 10, 2018” where information of about 327 million Starwood guests was taken. The data includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival, and departure information, reservation date, and communication preferences.”

For the other guests, the compromised information includes payment card numbers and payment card expiration dates.

Marriott was quick to say that it has encrypted payment card numbers. However, it didn’t rule out that these data may have also been taken. For the other guests, the information taken was limited to names, and email and mailing addresses.

Marriott explained it found out about the data security incident when it received an alert from an internal security tool about an attempt to access the hotel’s reservation database.

The investigation led to the discovery of an ongoing hacking since four years ago and encrypted information has been copied. On Nov. 19, the hotel said, its security officers were able to “decrypt the information and determined that the contents were from the Starwood guest reservation database.

Marriott and Starwood merged its loyalty programs after its merger two years ago.

Marriot has set up help centers and notified through email its affected clients. The dedicated call center is open seven days a week and is available in multiple languages.

Image from Marriott-Starwood website