On Monday, HEI Hotels and Resorts, which operates a number of high-end locations for the likes of Starwood, Marriott, Hyatt, and Intercontinental, said a data breach had hit 20 of its hotels in the U.S.
It was discovered in June on payment systems used by hotel facilities such as restaurants, bars, spas, and lobby shops, HEI spokesperson Chris Daly told Reuters.
The company said the attack could’ve given hackers access to “the payment card information of certain individuals who used payment cards at point-of-sale terminals, such as food and beverage outlets, at some of our properties.”
Information on the specific hotels hit by the malicious software, and when it was active, has been laid out on a special webpage posted by the company so customers can check if they may have been caught up in the attack.
The malware was active from March 1, 2015 through June 21 this year, and hit premises that include 12 Starwood hotels, 6 Marriott International locations, 1 Hyatt site, and 1 InterContinental hotel.
Tens of thousands of transactions took place on the hotels’ targeted point-of-sale terminals, though Daly said it was currently hard to say how many customers had been hit as a single card may have been used multiple times by its owner.
About 8,000 transactions occurred during the affected period at the Hyatt Centric Santa Barbara hotel in California, for example, and about 12,800 at the IHG Intercontinental in Tampa, Florida, Daly told Reuters.
In a statement, HEI offered the usual assurances about taking its responsibility “very seriously,” adding that it has “mounted a thorough response to investigate and resolve this incident, bolster our data security, and support our customers.” The company offers an FAQ page on the incident here.
Cybercriminals who manage to nab credit card data often try to sell it via illicit hacking forums, with buyers hoping to use it for online shopping sprees or to withdraw money from bank accounts.
