This photo taken on January 11, 2018 shows a Marriott logo in Hangzhou in China's Zhejiang province.
Authorities in China have shut down Marriott's local website for a week after the US hotel giant mistakenly listed Chinese-claimed regions such as Tibet and Hong Kong as separate countries. / AFP PHOTO / - / China OUT        (Photo credit should read -/AFP/Getty Images)
AFP/Getty Images
This photo taken on January 11, 2018 shows a Marriott logo in Hangzhou in China's Zhejiang province. Authorities in China have shut down Marriott's local website for a week after the US hotel giant mistakenly listed Chinese-claimed regions such as Tibet and Hong Kong as separate countries. / AFP PHOTO / - / China OUT (Photo credit should read -/AFP/Getty Images)
Now playing
01:33
Marriott's guest reservation system hacked
CNN/John General/Atom Smasher
Now playing
04:04
Here's everything you need to know about ransomware
A person uses Windows software
Shutterstock
A person uses Windows software
Now playing
00:53
Microsoft urges Windows users to install update
Staff enter the headquarters of information technology firm Kaseya in Miami, Florida, U.S., in an undated still image from video. Kaseya/Handout via REUTERS NO RESALES. NO ARCHIVES. THIS IMAGE HAS BEEN SUPPLIED BY A THIRD PARTY.
Kaseya via Reuters
Staff enter the headquarters of information technology firm Kaseya in Miami, Florida, U.S., in an undated still image from video. Kaseya/Handout via REUTERS NO RESALES. NO ARCHIVES. THIS IMAGE HAS BEEN SUPPLIED BY A THIRD PARTY.
Now playing
01:41
Kaseya: The massive ransomware attack compromised up to 1,500 businesses
The silhouettes of attendees are seen standing in front of a Electronic Arts Inc. (EA) logo displayed on a screen during the company's EA Play event ahead of the E3 Electronic Entertainment Expo in Los Angeles, California, U.S., on Saturday, June 9, 2018. EA announced that it is introducing a higher-end version of its subscription game-playing service that will include new titles such as Battlefield V and the Madden NFL 19 football game. Photographer: Patrick T. Fallon/Bloomberg via Getty Images
Patrick T. Fallon/Bloomberg via Getty Images
The silhouettes of attendees are seen standing in front of a Electronic Arts Inc. (EA) logo displayed on a screen during the company's EA Play event ahead of the E3 Electronic Entertainment Expo in Los Angeles, California, U.S., on Saturday, June 9, 2018. EA announced that it is introducing a higher-end version of its subscription game-playing service that will include new titles such as Battlefield V and the Madden NFL 19 football game. Photographer: Patrick T. Fallon/Bloomberg via Getty Images
Now playing
02:15
Electronic Arts breached by hackers
Now playing
06:43
FireEye CEO: Digital currency enables cybercrime
screengrab Elliptic
Elliptic
screengrab Elliptic
Now playing
03:18
See how cybersecurity experts trace ransom payments
This photo taken on August 4, 2020 shows Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, using his computer at their office in Dongguan, China's southern Guangdong province. - From a small, dingy office tucked away in an industrial city in southern China, the Red Hacker Alliance -- one of China's most well-known patriotic "hacktivist" groups -- maintain battle in the country's nationalistic online war. (Photo by NICOLAS ASFOURI / AFP)
NICOLAS ASFOURI/AFP/AFP via Getty Images
This photo taken on August 4, 2020 shows Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, using his computer at their office in Dongguan, China's southern Guangdong province. - From a small, dingy office tucked away in an industrial city in southern China, the Red Hacker Alliance -- one of China's most well-known patriotic "hacktivist" groups -- maintain battle in the country's nationalistic online war. (Photo by NICOLAS ASFOURI / AFP)
Now playing
02:42
White House urges companies to take cyberattack threat more seriously
Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland on May 10, 2021.
Jim Watson/AFP/Getty Images
Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland on May 10, 2021.
Now playing
01:47
Cybersecurity expert: Defense isn't perfect in this game
SolarWinds headquarters in Austin, Texas on December 15, 2020.
Shutterstock
SolarWinds headquarters in Austin, Texas on December 15, 2020.
Now playing
02:52
Microsoft says SolarWinds hackers have struck again
Now playing
02:47
IBM CEO: Cybersecurity needs to be a collective effort led by government
Now playing
03:10
Cybersecurity expert on why ransomware attacks are becoming more common
Video thumnbnail of fireeye CEO Kevin Mandia on CNN's First Move
CNN
Video thumnbnail of fireeye CEO Kevin Mandia on CNN's First Move
Now playing
03:24
FireEye CEO on how the SolarWinds hack was discovered
This photo taken on August 4, 2020 shows Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, using his computer at their office in Dongguan, China's southern Guangdong province. - From a small, dingy office tucked away in an industrial city in southern China, the Red Hacker Alliance -- one of China's most well-known patriotic "hacktivist" groups -- maintain battle in the country's nationalistic online war. (Photo by NICOLAS ASFOURI / AFP)
NICOLAS ASFOURI/AFP/AFP via Getty Images
This photo taken on August 4, 2020 shows Prince, a member of the hacking group Red Hacker Alliance who refused to give his real name, using his computer at their office in Dongguan, China's southern Guangdong province. - From a small, dingy office tucked away in an industrial city in southern China, the Red Hacker Alliance -- one of China's most well-known patriotic "hacktivist" groups -- maintain battle in the country's nationalistic online war. (Photo by NICOLAS ASFOURI / AFP)
Now playing
04:22
Analyst explains why hospitals are vulnerable to hackers
CNN
Now playing
05:14
A hacker stole $1 million from him by tricking his cell phone provider
SocialProof Security CEO Rachel Tobac uses social engineering to hack CNN tech reporter Donie O'Sullivan's accounts.
Graphics: John General/CNN
SocialProof Security CEO Rachel Tobac uses social engineering to hack CNN tech reporter Donie O'Sullivan's accounts.
Now playing
04:35
Watch how a social engineering hack works
BERLIN, GERMANY - JUNE 22: In this photo Illustration hands typing on a computer keyboard on June 22, 2016 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)
Thomas Trutschel/Photothek/Photothek via Getty Images
BERLIN, GERMANY - JUNE 22: In this photo Illustration hands typing on a computer keyboard on June 22, 2016 in Berlin, Germany. (Photo Illustration by Thomas Trutschel/Photothek via Getty Images)
Now playing
01:43
5 of the biggest data breaches​
New York CNN Business —  

Marriott says its guest reservation system has been hacked, potentially exposing the personal information of approximately 500 million guests.

The hotel chain said Friday the hack affects its Starwood reservation database, a group of hotels it bought in 2016 that includes the St. Regis, Westin, Sheraton and W Hotels.

Marriott said hackers had gained “unauthorized access” to the Starwood reservation system since 2014, but the company only identified the issue last week.

“The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it,” Marriott said in a statement.

For 327 million people, Marriott says the guests’ exposed information includes their names, phone numbers, email addresses, passport numbers, date of birth and arrival and departure information. For millions others, their credit card numbers and card expiration dates were potentially compromised.

Marriott warns that it can’t confirm if the hackers were able to decrypt the credit card numbers.

“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward,” said CEO Arne Sorenson.

The hotel chain said it has reported the hack to law enforcement.

Marriott said it will begin emailing guests affected by the breach and has created an informational website. There’s also a call center that’s been set up.

The company said it’s giving guests a free membership to WebWatcher, a personal information monitoring service. It’s also telling guests to monitor their loyalty accounts for suspicious activity, change their account passwords and check credit card statements for unauthorized activity.

Today’s revelation marks one of the biggest corporate data beaches in history. It’s second behind one involving Yahoo, which said in 2017 that 3 billion accounts encompassing several of its brands were compromised. AdultFriendFinder revealed in 2016 that 412 million accounts were hacked.

Because the hack involves customers in the European Union and the United Kingdom, the company might be in violation of the recently enacted General Data Protection Regulation.

Mark Thompson, the global lead for consulting company KPMG’s Privacy Advisory Practice, told CNN Business that hefty GDPR penalties will potentially be slapped on the company.

“The size and scale of this thing is huge,” he said, adding that it’s going to take several months for regulators to investigate the breach. He said there’s a trend for class action lawsuits in these cases.

In the United States, the New York Attorney General’s office said it has opened an investigation into the data breach. The office told CNN Business that the company hasn’t yet notified the AG about the data breach, which is required under state law.

The attorneys general of Maryland and Pennsylvania have also said that they are investigating.

Marriott’s (MAR) stock is plunging on the news, falling more than 6% in trading. The combined company has 6,700 properties in more than 129 countries.