Hyatt Hotels Corp said a previously reported malware attack on its payment processing system occurred between August 13 and Dec. 8.
The hotel operator said on Thursday it identified unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at its restaurants.
The company also said the "at-risk window" for a limited number of locations began on or shortly after July 30.
Shares of Hyatt were down 3.1 percent in afternoon trading.
Hyatt also said it has arranged a third-party identity protection and fraud detection firm to provide one year of services to affected customers at no cost.
The company did not disclose the number of cards affected.
The company disclosed in December that its payment processing system was infected with information-stealing malware but did not mention how long its network was infected.
Hyatt, controlled by the billionaire Pritzker family, is the fourth major hotel operator to warn of a breach since October.
Hilton Worldwide Holdings Inc and Starwood Hotels & Resorts Worldwide Inc disclosed attacks on payment processing systems in November.
Donald Trump's luxury hotel chain, Trump Hotel Collection, also confirmed the possibility of a data security incident.
(Reporting by Radhika Rukmangadhan in Bengaluru; Editing by Don Sebastian)