An estimated 500 million people who booked a Starwood branded hotel in the last four years have been affected by a massive data breach announced by Marriott.

Starwood properties impacted are Aloft, Design Hotels, Element, Four Points by Sheraton, Le Meridien, The Luxury Collection, St. Regis, Sheraton, Tribute Portfolio, W Hotels and Westin. Those booking these properties in the last four years are being advised to change their password for their Starwood Preferred Guest Rewards Program immediately, review their banking and credit card accounts for suspicious activity, consider a credit freeze if concerned about their financial information being compromised and to be alert for any emails supposedly from Marriott that might have been sent by cybercriminals looking to exploit the breach.

For most customers the breached data includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, and communication preferences. In some cases credit card numbers and expiration dates were also exposed.

Two US law firms, Murphy, Falcon and Murphy and Morgan and Morgan have filed a national class action lawsuit against Marriott International on behalf of the 500,000 customers. The lawsuit alleges that Marriott failed to invest enough resources in its security programmes to discover the breach sooner.