Starwood said hackers were able to see debit and credit card information of some people that dined or shopped at 54 of its hotels, including Walt Disney World Dolphin, a Sheraton Hotel.
The hotelier said Friday that malware was found in payment systems at restaurants, gift shops, bars and other retail areas within hotels, but not at the front desk where guests pay for their stay. Starwood's news release said Dolphin customers were affected from Nov. 5, 2014, to April 13.
Stamford, Conn.-based Starwood said the malware exposed names on the cards as well as card numbers, security codes and expiration dates. Contact information and PINs were not exposed, the company said, and its loyalty program wasn't affected.
Other hotel companies have announced this year that they were hacked, including The Trump Hotel Collection and Mandarin Oriental.
Most of the affected Starwood hotels are in the U.S., including a St. Regis in Bal Harbour and Sheraton, Westin and W locations in Los Angeles, New York, Boston and several other cities. Two were in Canada and another hotel was in Puerto Rico.
Starwood posted a list online of the hotels and dates malware was found at www.starwoodhotels.com/paymentcardsecuritynoticehttp://www.starwoodhotels.com/paymentcardsecuritynotice. That website also says Starwood has arranged with a third party for identity-protection and credit-monitoring services to be provided at no cost for one year to affected customers.
Starwood said the malware, which has since been removed, infected payment systems since as early as November 2014.
The announcement comes on the same week that Bethesda, Maryland-based Marriott International Inc. said it planned to buy Starwood Hotels & Resorts Worldwide Inc. for $12.2 billion.
That sale would include the Dolphin and nine other Orlando-area properties.
The deal, which is expected to be completed in the middle of next year, would create the world's largest hotelier by combining Starwood's 1,275 properties with Marriott's more than 4,300.