Guests at Walt Disney World’s Swan and Dolphin Resort are among those whose personal information may have been exposed in a data breach affecting as many as 500 million people who stayed at Marriott hotels over the past four years.

Marriott International Inc. said Friday it had identified a hack of the guest reservation database in its Starwood Hotels & Resorts unit, which the company acquired in 2016. The Swan and Dolphin are among the Starwood properties in the Orlando area.

A spokesperson for the Swan and Dolphin directed all questions to Marriott’s corporate office, which confirmed the scale of the breach.

“The incident impacts guests who made reservations at Starwood branded properties prior to September 10, 2018,” Marriott International spokesperson Alycia Chanin told Orlando Rising.

Marriott said the hacking dates back to 2014, before its $13.6 billion acquisition of the Starwood chain. For 327 million guests to Starwood hotels in that time frame, names, addresses, phone numbers passport numbers, dates of birth and Starwood account information may have been compromised. Marriott’s news release also held open the possibility that some customers’ credit card numbers and expiration dates had been decrypted.

To combat incidents of identity theft using this stolen information, Marriott has been emailing affected guests in the Starwood database, established a dedicated website and call center and offering free one-year subscriptions to WebWatcher software to monitor sites where customers’ personal information may be shared.

“We will also continue to support the efforts of law enforcement and to work with leading security experts to improve,” Marriott president and CEO Arne Sorenson said in a statement. “Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

Other Starwood properties in Orlando may have also been impacted, such as Westin Orlando Universal at 9501 Universal Boulevard, Aloft Orlando Downtown at 500 South Orange Avenue, the Sheraton Vistana Villages at 12401 International Drive and the Sheraton Lake Buena Vista Resort. Marriott-branded hotels were not affected because they use a separate reservation system.

It’s not the first time the Swan and Dolphin have been involved in a data breach. In November 2015 — soon after the Marriott deal was first announced — Starwood said malware in its payment systems had exposed the debit and credit card information for guests at 54 of its hotels, including the Dolphin.

The resort had recently announced the addition of a 349-room tower hotel, called The Cove, set to open in 2020.