Marriott said it was alerted on September 8 that there had been an attempt to hack their reservation database in the United States.
The company launched a probe, and discovered "that there had been unauthorised access to the Starwood network since 2014".
They discovered "that an unauthorized party had copied and encrypted information, and took steps towards removing it".
On November 19 Marriott "was able to decrypt the information and determined that the contents were from the Starwood guest reservation database".
"We deeply regret this incident happened," said Arne Sorenson, Marriott's President and Chief Executive Officer. "We fell short of what our guests deserve and what we expect of ourselves."
(With inputs from agencies.)