An undisclosed number of people who used credit cards at 20 Hyatt, Sheraton, Marriott, Westin and other hotels in California, nine other states and the District of Columbia may have had their cards compromised as a result of hack of the hotels' payment system.
According to the hotel operator HEI Hotels & Resorts, malware put into place in at least 20 locations — including five in California — may have collected names, payment card account numbers, card expiration dates and verification codes.
Data from customers may have been collected from early December through late June. At some properties, HEI said, data collection may have begun as early as March 2015 where people bought food or drinks.
"We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered," HEI said in a press release.
The affected California hotels, it said, are the Westin Pasadena, Renaissance San Diego Downtown Hotel, San Diego Marriott La Jolla, Hyatt Centric Santa Barbara and Le Meridien San Francisco.
Customers can visit www.heihotels.com/notice for a list of affected hotels nationwide and additional information about the incident.
HEI said that once it found out about the problem it transitioned payment card processing to a stand-alone system that's completely separate from the rest of its network. It disabled the malware and is in the process of reconfiguring various components of its network and payment systems to make them more secure.
The company says the breach has been contained and customers can safely use cards at all its properties. It said it continues to cooperate with the law enforcement investigation and is coordinating with banks and payment card companies.
Anyone who used a card at HEI hotels in the given time frame should review their account statements and look for discrepancies or unusual activity, both over the past several months and going forward, the company said. Customers who notice anything out of place should contact their credit or debit card issuer.
As with any breach, consumers are not liable for fraudulent charges on their credit cards. And once a breach such as this is disclosed, as a precaution, banks will often automatically issue new cards to any of their customers that could be affected.
Retailers and other companies that deal with large numbers of credit cards have become popular targets for hackers looking to make a quick buck by collecting and selling the information on the internet in bulk.
A couple of years ago, massive breaches involving the thefts of millions of card numbers at retailers such as Target, Home Depot and Neiman Marcus grabbed headlines.
Among hotel chains, Hilton Worldwide, Trump Hotel Collection and Starwood Hotels & Resorts have all confirmed payment-system breaches within the past year or so.
Yet the black-market value of credit card numbers has tumbled, largely as a result of better fraud prevention technology that allows banks to spot and stop bad transactions faster. As a result, many thieves have moved on to target more lucrative information such as healthcare data.
6:40 a.m.: This article has been updated with additional details.
3:18 p.m.: This article has been updated with additional information.