A Chinese cyberespionage campaign was behind a devastating data breach affecting millions of Marriott guests, reports suggest.
The data breach, revealed last month, involved the personal information of 500 million customers.
Data including guest names, mailing addresses, phone numbers, passport numbers, dates of birth, and Starwood Preferred Guest ("SPG") account information, as well as payment card data -- in some cases -- was stolen.
Access had been gained to the Starwood guest reservation database back in 2014 but was only uncovered in November this year. Starwood was acquired by Marriott in 2016.
According to the New York Times, the threat actors behind the intrusion may be linked to China's Ministry of State Security, a department responsible for intelligence gathering.
The US Department of Justice (DoJ) recently convicted 10 Chinese nationals charged as Ministry of State Security operatives tasked with hacking both US and European companies for the purpose of intellectual property and confidential data theft.
Two officials briefed on the matter said the hackers responsible for the Marriott data breach have also been connected to cyberattacks launched against health insurers and the theft of US security clearance files. The other organizations involved have not been named.
A spokesperson for the Ministry of Foreign Affairs denied these claims as well as any knowledge of how the Marriott cyberattack took place, or why.
"If offered evidence, the relevant Chinese departments will carry out investigations according to the law," the spokesperson added.
A Marriott spokeswoman said the company has not speculated when it comes to the identity of the threat actors.
The report has emerged at a time when the relationship between the US and China is strained over trade deals and tariffs. The NYT reports that the DoJ is set to announce a fresh set of indictments against Chinese cyberattackers linked to cyberespionage in the near future.
Only hours after the reveal of the data breach, Marriott became the subject of a class-action lawsuit seeking $12.5 billion in damages on behalf of those affected. This may sound like a vast amount but only equates to $25 per customer.
Marriott does, however, intend to reimburse some customers. A company spokesperson said that Marriott will foot the bill for new passports in cases where victims can prove the use of stolen passport numbers in fraudulent activities permitted by the data breach.
Marriott CEO Arne Sorenson has apologized to the firm's customers, saying that the hotel chain "fell short of what our guests deserve and what we expect of ourselves."