Marriott International disclosed on Friday a data breach involving its guest reservation database at its Starwood Hotel brand that it said could affect upward of 500 million guests.

Shares of Marriott fell almost 5 percent in pre-market trading on Friday.

The personal information of at least 327 million guests – including name, mailing address, phone number, email address, passport number, birthday and gender – may have been accessed by an unauthorized party, Marriott said in a news release.

For some guests, the information could also include credit card numbers and expiration dates.

The hotel chain said an investigation uncovered the breach on November 19. The breach could affect guests who stayed in Starwood Hotel locations on or before Sept. 10. Marriott said it reported the incident to law enforcement.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and CEO, in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Hours after the breach was disclosed, New York Attorney General Barbara Underwood said in a tweet the state had launched an investigation in the data breach.

“New Yorkers deserve to know that their personal information will be protected,” Underwood wrote.