(Reuters) - Marriott International said on Friday hackers stole about 500 million records from its Starwood Hotels reservation system in an attack that began four years ago, exposing personal data of customers including some payment card numbers.

Logo of Marriott hotel is seen in Vienna, Austria April 9, 2018. REUTERS/Heinz-Peter Bader

Shares of the company were down 4 percent at $117 in premarket trading.

The hack began in 2014, before Marriott offered to buy Starwood for $12.2 billion in November 2015, acquiring brands including Sheraton, Ritz Carlton and the Autograph Collection to create the world’s largest hotel operator. The company closed the Starwood deal in September 2016.

Marriott said for 327 million guests, compromised data could include passport details, phone numbers and email addresses. For some others, it could include credit card information.

Marriott said it first found out about the breach after an internal security tool sent an alert on Sept. 8.

“We’ve opened an investigation into the Marriott data breach. Additionally, under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet,” said Amy Spitalnick,

Communications Director and Senior Policy Advisor, Office of the New York Attorney General.

Marriott said it would inform affected guests about the breach, starting Friday, and that it had reported it to law enforcement and regulatory authorities.

Several companies have suffered data hacks in recent years. The breach could cost Marriott hundreds of millions of dollars in legal costs.

Yahoo said last year all of its three billion accounts were hacked in a 2013 data theft. Attorneys had said the breach sharply increased the legal exposure of its new owner, Verizon Communications Inc.

Altaba Inc, as Yahoo came to be known after Verizon bought it, said it expected to pay a total of $47 million in litigation expenses to settle related cases.

News of the attack highlights the need for companies to pay close attention on cyber security when making acquisitions.

“Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company,” said Jake Olcott, a vice president with cybersecurity firm BitSight.

Marriott said on Friday it was too early to estimate the financial impact of the breach and that it would not affect its long-term financial health. The hotel chain said it was working with its insurance carriers to assess coverage.