54 Starwood Hotels point-of-sale systems in North America have been infected with a malware designed to collect payment card data.
The payment systems were infected with malware between November 2014 and October 2015.
The affected hotels include the Sheraton New York Times Square hotel, the Westin New York, Grand Central New York, and The St. Regis BalHarbour Resort in Florida.
The company consulted third-party forensic experts, who found that the malware had affected various restaurants and gift shop systems.
The malware was designed to collect certain card payment information, such as the name of the cardholder, card number, security code, and the expiration date.
However, no customer contact information or PIN number had been released, and the malware "no longer presents a threat".
Starwood Hotels & Resorts has taken remedial measures at the affected hotels to ensure that the malware does not pose a further threat to customers.
Starwood, Americas president Sergio Rivera said: "Protecting our customers’ information is critically important to Starwood, and we take this issue extremely seriously.
"Quickly after we became aware of the possible issue, we took prompt action to determine the facts. We have been working closely with law enforcement authorities, and have been coordinating our efforts with the payment card organisations.
"We want to assure our customers that we have implemented additional security measures to help prevent this type of crime from reoccurring."
Reservation and rewards programme systems had not been infected.
In 2014, Starwood group had 1,222 properties, including hotels and vacation rentals, under its ownership or management.
About 600 of its 1,222 properties are located in North America.
Starwood Hotels is due to be bought by Marriott International.
Image: Westin Times Square, a hotel under Starwood Hotels & Resorts Worldwide Inc. Photo: courtesy of Pixuk.
