Marriott International Inc.'s global data breach that impacted about 500 million guests will go under the spotlight of two states’ top law enforcement agencies.

New York State Attorney General Barbara Underwood (D) announced in a Nov. 30 tweet that the state has opened an investigation the Marriott data breach. “New Yorkers deserve to know that their personal information will be protected,” she wrote.

Illinois is also investigating Marriott for the data security incident, Maura Possley, communications director for the state attorney general’s office, told Bloomberg Law in an email.

Marriott discovered the security breach Nov. 19 that hit reservation information on or before Sept. 10, 2018. Out of the company’s 500 million guests, about 327 million Starwood guests may have had their passport numbers, email, and other personal data taken. Credit and payment card data also may have been stolen.

According to the New York attorney general’s office, though, Marriott didn’t inform the regulator about the breach. “Under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet,” Amy Spitalnick, communications director for the office, wrote on Twitter Nov. 30.

Data breach investigations by state attorneys general can cost businesses more than federal investigations, privacy attorneys told Bloomberg Law. A recent $148 million settlement with Uber over a 2016 data breach highlights the power state regulators have to move swiftly to hold companies accountable, they said.

“The single biggest exposure for Marriott domestically may be state attorney general enforcement action,” Paige Boshell, managing member and attorney at Privacy Counsel LLC, told Bloomberg Law. States have shown “their ability to act more quickly and exact greater fines than the Federal Trade Commission and coordinate with each other effectively for more comprehensive enforcement,” she said.

The cost of the state attorney general, and even federal investigations may hurt Marriott’s bottom-line, financial analysts said.

“The near-term impact of the data breach of the Marriott-owned Starwood guest reservation database includes direct costs associated with the investigation, as well as any litigation or liability that Marriott may have with respect to compromised data,” Pete Trombetta, lodging analyst at Moody’s, told Bloomberg Law in an email.