By Jim Finkle and Arjun Panchadar
(Reuters) - Marriott International Inc (O:MAR) said on Friday that hackers accessed about 500 million records in its Starwood Hotels reservation system in an attack that began four years ago, exposing personal data of customers including some payment card numbers.
Shares fell 5 percent after disclosure of the hack, one of the largest in history, which prompted regulators in Britain and at least three U.S. states to announce plans to look into the attack.
The hack began in 2014, before Marriott offered to buy Starwood for $12.2 billion (9.57 billion pounds) in November 2015, acquiring brands including Sheraton, Ritz Carlton and Westin to create the world's largest hotel operator. The company closed the Starwood deal in September 2016.
Passport details, phone numbers and email addresses of some 327 million Marriott customers were exposed, according to the company. Credit card data may have been taken for other customers, it said.
"What makes this serious is the number of people involved, the intimacy of the data that was taken and the long delay between the breach and discovery," said Mark Rasch, a former U.S. federal cyber crimes prosecutor.
Customers complained to Marriott through its account on Twitter, where Starwood was among the top trending U.S. topics. Some criticized the company, using terms including "duped," "angry" and "merger disaster" to describe the incident.
Marriott said it learnt of the breach on Sept. 8 when an internal security tool sent an alert about suspicious activity.
"We fell short of what our guests deserve," Marriott Chief Executive Arne Sorenson said.
The offices of attorneys general in Connecticut, Illinois and New York said they would investigate the attack, as did the UK's Information Commissioner's Office. A representative with the U.S. Federal Trade Commission declined comment.
Marriott said it would inform affected guests about the breach starting Friday, and that it had reported it to law enforcement and regulatory authorities.
The breach appeared to be the second-largest on record after one at Yahoo in 2013 that exposed all of its 3 billion user accounts. That breach cost $47 million in litigation expenses and prompted Verizon Communications Inc (N:VZ) to cut $350 million off the price it paid when it acquired most of Yahoo.
Marriott said it was too early to estimate the financial impact of the breach and that it would not affect its long-term financial health. The hotel chain said it was working with its insurance carriers to assess coverage.
Baird Equity Research said in a note to clients that breach-related costs, including legal fees, technical expenses and increased security, could force Marriott to delay the rollout of a new customer loyalty programme planned for early 2019.
"Investor sentiment towards Marriott could remain somewhat negative in the near term until this security incident is fully resolved and its true financial impact is learnt," Baird said.
The Hyatt breach highlights the need for companies to pay close attention on cyber security when making acquisitions.
"Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company," said Jake Olcott, a vice president with cybersecurity firm BitSight.
Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, and Westin Hotels & Resorts.