As one of North America’s largest hotel groups enters damage-control mode after a major data breach, millions of customers are left wondering if their personal information was compromised.

Marriott International, Inc. said Friday that there had been “unauthorized access” to the Starwood reservation data over a period of four years. Marriott acquired Starwood Hotels in 2016, but the data breech began as early as 2014. The private data of as many as 500 million guests may have been accessed.

Here’s what you need to know about the breach and if your information was compromised:

Email notifications

Marriott said it will begin sending email notifications “on a rolling basis” beginning Friday to those who may have been affected and whose email addresses are in the Starwood guest reservation database.

Hotels affected

Starwood operates more than Starwood-branded hotels and timeshares. Other names include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Meridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Starwood call centre

If your email is not in the guest reservation database, you can use the dedicated website or call centre to determine if your information was compromised.

Information compromised

For most of the guests affected (approximately 327 million), the data accessed could include some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

Marriott said Friday that credit card numbers and expiration dates may have been accessed too, but the company has not yet determined if the information has been decrypted.

Where your information can go

Considering the breadth of information compromised, there is a lot that a hacker could do with your private data, cyber security expert Ritesh Kotak told CTV News Channel on Friday.

“(Hackers) can take that information to essentially commit a whole array of criminal activity, from selling your information in the ‘dark web’ all the way to potentially making you a victim of identity theft,” he said. “The fact that (the information) has been in the system potentially for up to four years is very troublesome.”

Can you protect yourself?

Marriott has offered to U.S., Canada and U.K. citizens a free year-long subscription to WebWatcher, a service that notifies consumers if there is evidence their information has been found on sites where personal information is shared.

But otherwise, Kotak says there is not much those affected can do since their information is already out there and reservation systems are an established part of our culture.

“This is less what consumers can do and more of a responsibility on corporations to ensure that they use the latest cyber security tools and that they value and protect consumer’s data,” he told CTV News Channel. “As an individual in this hyper digital connected age there’s not much we can do.”

Watch for phishing scams

Since email addresses were part of the data breach, it’s possible that hackers could begin launching targeted email attacks posing as Marriott officials, Dave Salisbury, director of the Center for Cybersecurity and Data Intelligence, said on CTV News Channel Friday.

“In the immediate term, I would be on the lookout for phishing attacks,” he said. Hackers could email vulnerable consumers, claim to be with Marriott and ask for verification of personal data.

In a prepared statement released Friday, Marriott CEO Arne Sorenson said the company deeply regrets the incident. “We fell short of what our guests deserve and what we expect of ourselves,” he said. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”