Marriott International Inc. may be hit with millions of dollars in state fines if the company failed to properly secure guests’ personal information, after revealing a hack that it said may have affected 500 million guests.

The Massachusetts, New York and Illinois state attorneys general quickly announced they would examine the hack. Connecticut George Jepsen (D) is also looking into the matter, a spokesman told Bloomberg Law.

A recent $148 million settlement Uber Technologies Inc. reached with attorneys general from all 50 states and the District of Columbia over a 2016 data breach shows states’ regulatory clout, privacy attorneys said.

“The single biggest exposure for Marriott domestically may be state attorney general enforcement action,” Paige Boshell, managing member and attorney at Privacy Counsel LLC, said. States can “act more quickly and exact greater fines than the Federal Trade Commission and coordinate with each other effectively for more comprehensive enforcement,” she said.

States could bring privacy enforcement under their consumer protection statues, data breach notification standards, and data security obligations.

More state attorneys general will likely join in to probe how Marriott handled the massive breach, privacy attorneys told Bloomberg Law. Depending on the sequence of events, Marriott could see large financial penalties and negative consumer sentiment following the state investigations, they said.

Marriott likely faces “substantial fines” from state attorneys general, Robert Braun, cybersecurity partner at Jeffer Mangels Butler & Mitchell LLP in Los Angeles, said. Massive data breaches “are the types of events that state regulators, for political reasons, are very happy to go after,” he said.

The cost of the state attorneys general probes may hurt Marriott’s bottom line, financial analysts said.

“The near-term impact of the data breach of the Marriott-owned Starwood guest reservation database includes direct costs associated with the investigation, as well as any litigation or liability that Marriott may have with respect to compromised data,” Pete Trombetta, a lodging analyst at Moody’s, told Bloomberg Law in an email.

Marriott didn’t immediately respond to a Bloomberg Law request for comment.

The breach, which Marriott revealed in a Nov. 30 SEC filing, hit reservation information on or before Sept. 10, 2018, the company said.

Marriott said in the filing that it discovered the breach Nov. 19, and learned during an internal investigation that there had been unauthorized access to the Starwood network since 2014.

Out of the company’s 500 million guests, about 327 million Starwood guests may have had their passport numbers, email, and other personal data taken, the company said. Credit and payment card data also may have been stolen.

Notifying New York

A spokeswoman for New York Attorney General Barbara Underwood (D) has hinted that she isn’t happy with Marriott’s response to the breach. That likely means that Marriott won’t emerge from the New York investigation unscathed, privacy attorneys said.

“Under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet,” Amy Spitalnick, communications director for Underwood’s office, wrote on Twitter Nov. 30.

Illinois Attorney General Maura Healey (D) said in an emailed statement confirming her state’s probe into the Marriott breach that it “may have compromised the information of millions, and the public deserves to know how this happened.”