Marriott International on Friday said private details of up to about 500 million guests may have been exposed in a data breach, Reuters reported. The hotel chain said hackers have accessed the guest reservation database of its Starwood division.

The hack began in 2014, two years before Marriott bought Starwood. Starwood’s hotel brands include Sheraton Hotels, W Hotels, Le Méridien, St Regis, among others. Hotels that use the Marriott brand name use a reservation system on a different network, according to BBC.

“We are still investigating the situation so we don’t have a list of specific hotels,” Marriott spokesman Jeff Flaherty told Reuters. “What we do know is that it only impacted Starwood brands.”

Personal information for about 327 million guests, including passport details, email addresses and phone numbers, were compromised, the company said. For some others, the breach may have exposed credit card information, it added. The hotel chain said it has reported the incident to law enforcement agencies and will send emails to affected guests, BBC reported.

Marriott said it learned about the breach after it received an alert from an internal security tool on September 8. After conducting an investigation, the company learned that data had been hacked long before.

“We fell short of what our guests deserve and what we expect of ourselves,” Chief Executive Officer Arne Sorenson said in a statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

The United Kingdom’s Information Commissioner’s Office said it will make enquiries into the breach. “If anyone has concerns about how their data has been handled, they can report these concerns to us,” the commissioner’s office said.