Malicious actors spent more than four years inside Marriott’s Starwood reservation system obtaining access to 500 million guest records that included names, payment card information and other PII, the hotel chain reported today.

The cybercriminals gained access to, copied and encrypted a wide variety of data from guests using its reservation system, the company said. The Marriott IT team only discovered the breach on September 8, 2018 when the cybercriminals attempted to remove data from the U.S. system. This event led to a further investigation which uncovered that the long-running operation had been in place since 2014.

Marriott acquired Starwood Hotels in 2016, indicating the malware was already in place and not yet discovered prior to the deal closing.

“This is yet another example of why it is critical that companies perform cyber due diligence prior to an acquisition or investment. Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company. After an investment has been made, continuous monitoring is essential,” said Jake Olcott, BitSight’s VP of strategic partnerships.

Starwood was no stranger to data breaches, having been hit in 2015 with POS malware affecting 1,275 properties in the U.S. and Canada.

The Marriott breach is one of the largest of the year, beating Veam’s 445 million affected users and Huazhu Hotels’ 130 million users. It even rivals the huge 2016 Yahoo incident that exposed 1 billion users.

The initial investigation revealed that the cybercriminals had duplicated and encrypted the database. By Nov. 19, Marriott’s security team, working with outside consultants, had partially decrypted enough of the file to determine the extent of the damage.

For 327 million people, the compromised information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences, the company said.

Another batch had payment card numbers and payment card expiration dates exposed, and even though the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), Marriott believes it is possible the malicious actors were able to obtain the two components needed for full decryption.

The remaining breached records contained passport data, names and possibly mailing and email addresses.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and CEO. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Although Marriott reported the malware resided in its U.S.-based reservation system, if any EU guests were involved it could open the company up to fines due to GDPR, said Chris Morales, head of security Analytics at Vectra.

“With more than two months between the initial detection time on Sept. 8, 2018 and public disclosure of the breach, depending on what they knew and when, the disclosure window may contravene the GDPR 72-hour notification requirement,” he said.