Marriott International said on Friday that hackers illegally accessed its Starwood Hotels brand's reservation database since 2014, potentially exposing personal information on about 500 million guests.
Shares of the company fell nearly 6 percent to about $115 in trading before the bell.
The company said for 327 million guests, personal information compromised could include passport details, phone numbers and email addresses. For some others, it could include credit card information.
The company said it learned about the breach after an internal security tool sent an alert on 8 September. On further investigation, the hotel chain learned data had been hacked long before.
The company, which bought Starwood in 2016, said it had reported the incident to law enforcement and had begun notifying regulatory authorities.
Marriott said it would send emails to affected guests, starting Friday.
"We are still investigating the situation so we don't have a list of specific hotels. What we do know is that it only impacted Starwood brands," Marriott spokesman Jeff Flaherty told Reuters.
Marriott said it was too early to estimate the financial impact of the breach and that it would not affect its long-term financial health. It also said it was working with its insurance carriers to assess the coverage.
Hotel groups have of late become a target of hackers, seeking to steal information such as credit card data.
Last year, both InterContinental Hotels Group Plc and Hyatt Hotels Corp were victims of cyber attacks.
Hyatt said it had discovered unauthorised access to payment card information at certain of its locations, affecting 41 properties in 11 countries.