This photo taken on January 11, 2018 shows a Marriott logo in Hangzhou in China's Zhejiang province.
Authorities in China have shut down Marriott's local website for a week after the US hotel giant mistakenly listed Chinese-claimed regions such as Tibet and Hong Kong as separate countries. / AFP PHOTO / - / China OUT        (Photo credit should read -/AFP/Getty Images)
AFP/Getty Images
This photo taken on January 11, 2018 shows a Marriott logo in Hangzhou in China's Zhejiang province. Authorities in China have shut down Marriott's local website for a week after the US hotel giant mistakenly listed Chinese-claimed regions such as Tibet and Hong Kong as separate countries. / AFP PHOTO / - / China OUT (Photo credit should read -/AFP/Getty Images)
Now playing
01:33
Marriott's guest reservation system hacked
CNN
Now playing
02:50
Cybersecurity expert: Groups like Proud Boys need to be treated like ISIS online
This photo taken on August 4, 2020 shows Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, using his computer at their office in Dongguan, China's southern Guangdong province. - From a small, dingy office tucked away in an industrial city in southern China, the Red Hacker Alliance -- one of China's most well-known patriotic "hacktivist" groups -- maintain battle in the country's nationalistic online war. (Photo by NICOLAS ASFOURI / AFP)
NICOLAS ASFOURI/AFP/AFP via Getty Images
This photo taken on August 4, 2020 shows Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, using his computer at their office in Dongguan, China's southern Guangdong province. - From a small, dingy office tucked away in an industrial city in southern China, the Red Hacker Alliance -- one of China's most well-known patriotic "hacktivist" groups -- maintain battle in the country's nationalistic online war. (Photo by NICOLAS ASFOURI / AFP)
Now playing
04:22
Analyst explains why hospitals are vulnerable to hackers
cybercrime, hacking and technology concept - male hacker in dark room writing code or using computer virus program for cyber attack; Shutterstock ID 1083511010; Job: -
Shutterstock
cybercrime, hacking and technology concept - male hacker in dark room writing code or using computer virus program for cyber attack; Shutterstock ID 1083511010; Job: -
Now playing
02:24
Remote work leads to growing concerns over cybersecurity
CNN
Now playing
05:14
A hacker stole $1 million from him by tricking his cell phone provider
SocialProof Security CEO Rachel Tobac uses social engineering to hack CNN tech reporter Donie O'Sullivan's accounts.
Graphics: John General/CNN
SocialProof Security CEO Rachel Tobac uses social engineering to hack CNN tech reporter Donie O'Sullivan's accounts.
Now playing
04:35
Watch how a social engineering hack works
CNN Business' reporter Donie O'Sullivan ran his photo through Clearview AI's software during a demo at CNN's studio.
John General/Richa Naik/CNN
CNN Business' reporter Donie O'Sullivan ran his photo through Clearview AI's software during a demo at CNN's studio.
Now playing
02:33
Is this facial recognition app going too far? We tested it
Fiber optic cables feed into a switch inside a communications room at an office in London, U.K., on Monday, May 21, 2018. The Department of Culture, Media and Sport will work with the Home Office to publish a white paper later this year setting out legislation, according to a statement, which will also seek to force tech giants to reveal how they target abusive and illegal online material posted by users. Photographer: Jason Alden/Bloomberg via Getty Images
Bloomberg/Bloomberg/Bloomberg via Getty Images
Fiber optic cables feed into a switch inside a communications room at an office in London, U.K., on Monday, May 21, 2018. The Department of Culture, Media and Sport will work with the Home Office to publish a white paper later this year setting out legislation, according to a statement, which will also seek to force tech giants to reveal how they target abusive and illegal online material posted by users. Photographer: Jason Alden/Bloomberg via Getty Images
Now playing
02:18
How to protect yourself from hackers
BERLIN, GERMANY - JUNE 22: In this photo Illustration hands typing on a computer keyboard on June 22, 2016 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)
Thomas Trutschel/Photothek/Photothek via Getty Images
BERLIN, GERMANY - JUNE 22: In this photo Illustration hands typing on a computer keyboard on June 22, 2016 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)
Now playing
01:43
5 of the biggest data breaches​
People walk past a branch of the Capital One Bank on April 17, 2019 in New York City. (Photo by Johannes EISELE / AFP)        (Photo credit should read JOHANNES EISELE/AFP/Getty Images)
JOHANNES EISELE/AFP/AFP/Getty Images
People walk past a branch of the Capital One Bank on April 17, 2019 in New York City. (Photo by Johannes EISELE / AFP) (Photo credit should read JOHANNES EISELE/AFP/Getty Images)
Now playing
01:51
Romans: Don't trust companies to protect your data
Frederick M. Brown/Getty Images
Now playing
00:45
Weather Channel goes off air because of 'malicious software attacks'
LONDON, ENGLAND - AUGUST 09:  In this photo illustration, an image of the Google logo is reflected on the eye of a young man on August 09, 2017 in London, England. Founded in 1995 by Sergey Brin and Larry Page, Google now makes hundreds of products used by billions of people across the globe, from YouTube and Android to Smartbox and Google Search.  (Photo by Leon Neal/Getty Images)
Leon Neal/Getty Images Europe/Getty Images
LONDON, ENGLAND - AUGUST 09: In this photo illustration, an image of the Google logo is reflected on the eye of a young man on August 09, 2017 in London, England. Founded in 1995 by Sergey Brin and Larry Page, Google now makes hundreds of products used by billions of people across the globe, from YouTube and Android to Smartbox and Google Search. (Photo by Leon Neal/Getty Images)
Now playing
02:39
Here's why it's so hard to spot deepfakes
HANOVER, GERMANY - MARCH 05:  A visitor types on a laptop computer at the Google stand the day before the CeBIT 2012 technology trade fair officially opens to the public on March 5, 2012 in Hanover, Germany. CeBIT 2012, the world's largest information technology trade fair, will run from March 6-10, and advances in cloud computing are a major feature this year.  (Photo by Sean Gallup/Getty Images)
Sean Gallup/Getty Images Europe/Getty Images
HANOVER, GERMANY - MARCH 05: A visitor types on a laptop computer at the Google stand the day before the CeBIT 2012 technology trade fair officially opens to the public on March 5, 2012 in Hanover, Germany. CeBIT 2012, the world's largest information technology trade fair, will run from March 6-10, and advances in cloud computing are a major feature this year. (Photo by Sean Gallup/Getty Images)
Now playing
02:32
Google+ to shut down after security bug
A lit sign at Facebook's corporate headquarters location in Menlo Park, California, on March 21, 2018.
JOSH EDELSON/AFP/Getty Images
A lit sign at Facebook's corporate headquarters location in Menlo Park, California, on March 21, 2018.
Now playing
03:39
Exclusive: Is Facebook doing enough to stop election meddling?
Now playing
02:54
A new approach to cybersecurity: Let the hackers in
Now playing
02:46
Inside China's biggest gadget market
(CNN Business) —  

Marriott says its guest reservation system has been hacked, potentially exposing the personal information of approximately 500 million guests.

The hotel chain said Friday the hack affects its Starwood reservation database, a group of hotels it bought in 2016 that includes the St. Regis, Westin, Sheraton and W Hotels.

Marriott said hackers had gained “unauthorized access” to the Starwood reservation system since 2014, but the company only identified the issue last week.

“The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it,” Marriott said in a statement.

For 327 million people, Marriott says the guests’ exposed information includes their names, phone numbers, email addresses, passport numbers, date of birth and arrival and departure information. For millions others, their credit card numbers and card expiration dates were potentially compromised.

Marriott warns that it can’t confirm if the hackers were able to decrypt the credit card numbers.

“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward,” said CEO Arne Sorenson.

The hotel chain said it has reported the hack to law enforcement.

Marriott said it will begin emailing guests affected by the breach and has created an informational website. There’s also a call center that’s been set up.

The company said it’s giving guests a free membership to WebWatcher, a personal information monitoring service. It’s also telling guests to monitor their loyalty accounts for suspicious activity, change their account passwords and check credit card statements for unauthorized activity.

Today’s revelation marks one of the biggest corporate data beaches in history. It’s second behind one involving Yahoo, which said in 2017 that 3 billion accounts encompassing several of its brands were compromised. AdultFriendFinder revealed in 2016 that 412 million accounts were hacked.

Because the hack involves customers in the European Union and the United Kingdom, the company might be in violation of the recently enacted General Data Protection Regulation.

Mark Thompson, the global lead for consulting company KPMG’s Privacy Advisory Practice, told CNN Business that hefty GDPR penalties will potentially be slapped on the company.

“The size and scale of this thing is huge,” he said, adding that it’s going to take several months for regulators to investigate the breach. He said there’s a trend for class action lawsuits in these cases.

In the United States, the New York Attorney General’s office said it has opened an investigation into the data breach. The office told CNN Business that the company hasn’t yet notified the AG about the data breach, which is required under state law.

The attorneys general of Maryland and Pennsylvania have also said that they are investigating.

Marriott’s (MAR) stock is plunging on the news, falling more than 6% in trading. The combined company has 6,700 properties in more than 129 countries.