The details of up to 500 million Starwood hotel guests may have been exposed after a reservation database was breached, according to owner Marriott.
Luxury London landmarks, such as Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly – were among the properties that had been affected by the "data security incident".
Information, including passport numbers, birth dates, names, addresses and phone numbers of 327 million people, has been accessed by unauthorised parties since 2014.
The payment card numbers and expiration dates of some customers may have also been taken, said Marriott, which bought Starwood in 2016.
For some guests, the information was limited to their names and sometimes other data such as mailing address, email address or other data.
Payment card numbers are encrypted using a method that requires two components to break it, the company said.
"Marriott has not been able to rule out the possibility that both were taken," it added.
The breach was discovered on 8 September, when the company found that an unknown party had "copied and encrypted information, and took steps towards removing it".
The unauthorised access related to reservations at Starwood properties on or before 10 September.
The hotel chain has set up a dedicated website and call centre to answer questions about the incident.
"We deeply regret this incident happened," said Arne Sorenson, Marriott's president and chief executive.
"We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
Starwood operates hotels under the names: W Hotels, St Regis, Sheraton Hotels and Resorts, Westin Hotels and Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Meridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Starwood branded timeshare properties are also included.
A spokesperson for the UK's National Cyber Security Centre said: "We are working with partners to better understand the data breach affecting Marriott International and how it has affected customers.
"The company has confirmed an unauthorised access to a database they say contains information on up to approximately 500 million guests worldwide who made a reservation at a Starwood property.
More from Business
"The NCSC website includes advice for people who think they have been affected by a data breach, including guidance on suspicious phone calls and targeted emails that can be sent after a data breach.
"We also recommend that people are vigilant against any suspicious activity on their bank accounts and credit cards and contact their financial provider if they have concerns."