Facepalm: Another day, another data breach—and this one’s a biggie. Hotel chain Marriott has announced “a data security incident” that saw the details of around 500 million guests stolen from its reservation database.

In a statement, the company said that “unauthorized access” to the Starwood guest reservation database in the United States was detected on or before September 10. It found that the attacker(s) had been able to infiltrate the network since 2014.

327 million of the pilfered records include some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation dates, and communication preferences.

Worryingly, the chain says that some information also includes payment card numbers and payment card expiration dates. Although this data was encrypted, there are two components needed to decrypt the payment card numbers, and Marriott has not been able to rule out the possibility that both were taken.

Marriott is now working with law enforcement and has begun notifying regulatory authorities. It is informing customers of the breach, including those in the US, Canada, and the UK.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s President and Chief Executive Officer. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

At 500 million affected guests, the data breach is one of the 21st century’s biggest, placing it behind only the Yahoo hack that exposed three billion user accounts.

The exact nature of the Marriott breach has not been revealed, but Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, believes it was related to insecure web applications. “Many large companies still do not even have an up2date inventory of their external applications, let alone conducting continuous security monitoring and incremental testing. They try different security solutions without a consistent and coherent application security strategy. Obviously, one day such an approach will fail,” he said.

Image credit: Shutterstock