Marriott International Inc has said that hackers have accessed up to 500 million customer records in its Starwood Hotels reservation system in an attack that began four years ago, exposing data including passport numbers and payment cards.
Shares fell 6% on news of the hack, one of the largest in history, which prompted regulators in Britain and at least five US states to launch investigations.
The FBI said it was looking into the attack on Starwood, whose brands include Sheraton, St Regis, W and Westin hotels.
It advised affected customers to check for identity fraud and report it to the bureau's Internet Crime Complaint Center.
The hack began in 2014, a year before Marriott offered to buy Starwood to create the world's largest hotel operator.
The €12 billion deal closed in September 2016.
Some 327 million customer records containing information including passport details, birthdates, addresses, phone numbers and email addresses were exposed, according to the company.
The hackers also accessed payment card data for an undisclosed number of customers, the company said.
"What makes this serious is the number of people involved, the intimacy of the data that was taken and the long delay between the breach and discovery," said Mark Rasch, a former US federal cyber crimes prosecutor.
Marriott said it learned of the breach on 8 September when an internal security tool sent an alert about suspicious activity.
"We fell short of what our guests deserve," Marriott Chief Executive Arne Sorenson said in a statement.
The Marriott Group owns five hotels in Ireland.
However, just two of those, the Westin in Dublin and Sheraton Athlone, say they used the Starwood reservation system in recent years.
The Data Protection Commission said it hasn't been notified yet of a breach affecting Irish customers, but a spokesman said it will be contacting the Marriott Group about the matter.
Marriott International hotel group reveals up to 500 million customer records in one of its reservation systems have been accessed by hackers - @willgoodbody reports pic.twitter.com/mZZtMNfTC3
— RTÉ News (@rtenews) November 30, 2018
Company representatives could not be reached to explain why it had taken so long to uncover the cyber nearly three months to disclose it to the public after suspicious activity was detected.
Attorneys general in Connecticut, Illinois, Massachusetts, New York and Pennsylvania said they would investigate the attack, as did the UK's Information Commissioner's Office.
"The public deserves to know how this happened," Massachusetts Attorney General Maura Healey said in a statement.
A representative with the US Federal Trade Commission declined to comment.
Marriott said it would inform affected guests about the breach starting today, and that it had reported it to law enforcement and regulatory authorities.
The breach appeared to be the second-largest on record after one at Yahoo in 2013 that exposed all of its three billion user accounts.
Retailers Target Corp and Home Depot Inc each incurred costs of about €176m after massive payment-card breaches in 2013 and 2014.
Marriott said it was too early to estimate the financial impact of the breach, though it would not affect its long-term financial health.
The hotel chain said it was working with its insurance carriers to assess coverage.
