Hyatt Hotels said a previously reported malware attack to steal payment card data affected 250 hotels between August 13 and Dec. 8.
The hotel operator listed affected locations worldwide and the period when they were at risk, on its website.
“We do not know the number of customers affected at this time,” company spokeswoman Stephanie Sheppard said in an email.
Hyatt (H) said on Thursday it identified unauthorized access to data on cards used at certain Hyatt-managed locations, primarily its restaurants.
The company also said the “at-risk window” for a limited number of locations began on or shortly after July 30.
The malware was designed to collect data such as cardholder name, card number, expiration date, and internal verification code, the company said.
Hyatt said it has notified the appropriate country and state regulators and is working with the FBI.
Up to Wednesday’s close, Hyatt shares had lost about a fifth of their value since the data breach was announced.
Hyatt said it has arranged an identity protection and fraud detection firm to provide one year of free services to affected customers.
The company disclosed in December that its payment processing system was infected with malware but did not mention how long its network was infected.
Hyatt, controlled by the billionaire Pritzker family, is the fourth major hotel operator to warn of a breach since October.
Donald Trump’s luxury hotel chain, Trump Hotel Collection, also confirmed the possibility of a data security incident.