NEW YORK – As many as 500 million guests at Marriott International hotels may have been victims of a hack that in many cases pilfered passport numbers, birthdates or other identifying data dating back to 2014, the company announced Friday.

The hack is among the largest ever disclosed, prompting a big drop in Marriott shares and investigations
in at least three states including, New York, where Attorney General Barbara Underwood said on Twitter that “New Yorkers deserve to know that their personal information will be protected.”

Marriott said it was alerted on September 8 that there had been an attempt to hack their reservation database in the United States. A subsequent probe concluded on November 19 “that there had been unauthorized access to the Starwood network since 2014” which compromised personal and financial information.

Hotel brands in the Starwood network include Sheraton, Westin, Four Points and W Hotels. Marriott completed a $13.6 billion acquisition of Starwood in 2016.

“We deeply regret this incident happened,” Marriott chief Arne Sorenson said in a statement. “We
fell short of what our guests deserve and what we expect of ourselves.”

The investigation determined that for about 327 million guests, the hacked information included items such as names, addresses, passport numbers and dates of birth. Marriott also could not rule out that hackers were also able to access some encrypted credit card information.

For the other guests, the information was limited to names and sometimes other data such as
mailing and email addresses or other information, the company said.