Starwood said hackers were able to see debit and credit card information of some people that dined or shopped at 54 of its hotels, including some Sheraton, Westin and W locations.
The hotelier said Friday that malware was found in payment systems at restaurants, gift shops, bars and other retail areas within hotels, but not at the front desk where guests pay for their stay.
Stamford, Connecticut-based Starwood said the malware exposed names on the cards as well as card numbers, security codes and expiration dates. Contact information and PINs were not exposed, the company said, and its loyalty program wasn't affected.
Other hotel companies have announced this year that they were hacked, including The Trump Hotel Collection and Mandarin Oriental.
Most of the affected Starwood hotels are in the U.S., including a St. Regis in Bal Harbour, Florida, and Sheraton, Westin and W locations in Los Angeles, New York, Boston and several other cities. Two were in Canada and another hotel was in Puerto Rico. Starwood posted a list online of the hotels and dates malware was found at www.starwoodhotels.com/paymentcardsecuritynotice. Starwood said the malware, which has since been removed, infected payment systems since as early as November 2014.
The announcement comes on the same week that Bethesda, Maryland-based Marriott International Inc. said it planned to buy Starwood Hotels & Resorts Worldwide Inc. for $12.2 billion. The deal, which is expected to be completed in the middle of next year, would create the world's largest hotelier by combining Starwood's 1,275 properties with Marriott's more than 4,300.