Investigators said they found hacking tools, techniques and procedures previously associated with Chinese hackers when examining the breach of Marriott International’s Starwood reservation system that exposed private information for about 500 million guests.

EXPERTS ARE SAYING the Chinese government may be behind a data breach of Marriott International ‘s Starwood reservation system that exposed private information for hundreds of millions of people. The finding, if it proves to be true, may increase already terse trade tensions between the U.S. and China.

Marriott has said the investigation into the breach began in September after one of its internal security tools detected an attempt to access the database in the U.S. It determined that since 2014 an unauthorized party had been copying and encrypting information from the database. While the company is still sifting out duplicate data, it currently believes the data came from about 500 million guests. Marriott acquired Starwood in September 2016. This past August, Marriott merged the companies’ guest loyalty programs.

Marriott disclosed the information stolen includes mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth and gender. Some payment card numbers and expiration dates also were exposed, but the company believes they are protected by its encryption.

China emerged as a suspect when private investigators found certain hacking tools, techniques and procedures evident in the breach that were previously associated with Chinese hackers, according to Reuters.

At the same time, Reuters’ sources said other parties had access to the same hacking tools, so further investigation is merited. Also, multiple groups may have been behind the breach.

The three most likely types of suspects in a breach this size would be organized crime looking to make a profit, “hacktivists” trying to achieve a social or political goal or a nation state gathering intelligence, perhaps looking for vulnerable individuals they can exploit, said Greg Sparrow, senior vice president and general manager at CompliancePoint computer security firm.

Like any businessman, a hacker is looking for a good return on their investment, Sparrow said. Hotels too often provide a large trove of data with easy access. The biggest vulnerability for hotels is the fact that they tend to have large, distributed networks that provide multiple points of entry.

While Marriott believes most of the credit card information taken in the breach is protected by its own encryption, Sparrow said the personally identifying information taken, such as passport numbers and passwords, can still be used or sold on the black market. In fact, he said that information can be even more valuable because it remains useful for much longer than credit cards, which are easily cancelled.

“There are lots of different ways to monetize the data on the black market,” he said.

Chinese officials denied involvement in the hack.

“China firmly opposes all forms of cyber attack and cracks down on them in accordance with law,” Chinese Ministry of Foreign Affairs spokesman Geng Shuang told Reuters. “If offered evidence, the relevant Chinese departments will carry out investigations according to law.”

Marriott spokeswoman Connie Kim told the news agency, “We’ve got nothing to share,” when asked about involvement of Chinese hackers.

The U.S and China already are experiencing tense relations over tariff disputes and accusations that China engages in espionage and theft of trade secrets. At the same time, Chinese companies have increasingly invested in the U.S. hospitality industry.

Last month, Jin Jiang International Holdings Co. of China closed on a deal to acquire  Minnetonka, Minnesota-based Radisson Hospitality Inc. from HNA Tourism Group Co., also of China. Radisson Hospitality Inc. and Radisson Hospitality AB in Brussels, Belgium, make up Radisson Hotel Group.

Marriott has faced criticism for its security procedures over the breach. Earlier this month, the company sent an e-mail to potential victims outlining what it is doing to address the situation. It said the company is working with law enforcement to investigate the incident.

“From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts,” Marriott said in the e-mail. “Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

In the Securities and Exchange Commission filings, Marriott said “it is premature to estimate the financial impact” the breach will have on the company. It indicated it had cyber insurance and is working with the insurance company to assess its coverage.

“The company does not believe this incident will impact its long-term financial health,” Marriott wrote in the filing. “As a manager and franchisor [sic] of leading lodging brands, the company generates meaningful cash flow each year with only modest capital investment needed to grow the business. The company remains committed to maintaining its investment grade credit rating.”