The cyberattack on the Marriott hotel chain that collected personal details of some 500 million guests was part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans, according to informed sources.
The hackers were suspected of working on behalf of the Ministry of State Security, the country's Communist-controlled civilian spy agency, the sources told The New York Times on Tuesday.
The Marriott database contains not only credit card information but passport data.
The spies stole passport numbers of up to 327 million people - many of whom stayed at Sheraton, Westin and W hotels and at other Starwood-branded properties.
The hacking was discovered only in September and revealed late last month.
But Marriott has not said if it would pay to replace those passports, an undertaking that would cost tens of billions of dollars.
The discovery comes as US President Donald Trump's administration is planning actions targeting China's trade, cyber and economic policies.
The actions also include indictments against Chinese hackers working for the intelligence services and the military.
The administration is also planning to declassify intelligence reports to reveal Chinese efforts dating to at least 2014 to build a database containing names of executives and American government officials with security clearances.
The Marriott hacking is not expected to be part of the coming indictments.
In response to the development, Geng Shuang, a spokesman for China's Ministry of Foreign Affairs, denied any knowledge of the Marriott hacking.
"China firmly opposes all forms of cyberattack and cracks down on it in accordance with the law."
If offered evidence, the relevant Chinese departments will carry out investigations according to the law."