The Hyatt hotel chain has posted a global list of hotels hit by malware that was found on its customer payments system last year.
The list includes Hyatt premises in Canada, the US, the UK, Jordan, Chile and Indonesia and involves almost half of its properties.
The firm is offering one year’s free protection to people who used their cards in one of the compromised hotels.
The infection took place between August and December last year.
The Chicago-based Hyatt group has 627 properties in its portfolio. It said 250 hotels, all of which it manages directly, had been infected.
In a statement, Hyatt’s global president of operations Chuck Floyd said that “unauthorised access” to payment card information – including the names of cardholders, card numbers and expiry dates – had been detected primarily in restaurants but also at spas, golf shops, parking and some front desks inside the hotel chain.
“We encourage you to remain vigilant and to review your payment card account statements closely,” he said, adding that cards could now be used “with confidence” inside the hotel chain following the investigation.
Although he said the company had “worked quickly” with cybersecurity experts and law enforcement to address the issue, the infection appeared to have gone unnoticed for about four months.
The period of risk for affected customers was between 30 July and 8 December 2015, Mr Floyd wrote.
Hyatt has now teamed up with a company called CSID, which specialises in identity protection and “fraud restoration” services, to offer one year’s free coverage for those whose cards may have been compromised.
Security expert Brian Krebs noted on his blog that the Hilton, Starwood, Mandarin Oriental, White Lodging and the Trump Collection hotels were all hit by payment information breaches last year.