Road Warrior

Hotel data breach went undiscovered for nine months


White Lodging Services, the company that manages hotels in eight states victimized by a customer data breach, said in a statement Thursday it first learned of the nine-month malware attack on Jan. 16, more than two weeks before the news was made public.

A spokesman for one of the hotels told CNBC his organization was not notified by White Lodging until Jan. 31, the same day it was first reported by security researcher Brian Krebs on his Krebs on Security website.

The breach hit 14 hotels, including ones owned by Marriott, Starwood, Intercontinental and Carlson Rezidor or their franchisees.

Antonio Saba | Cultura | Getty Images

White Lodging Services manages several hundred hotels that are owned by different companies. Its ongoing investigation has so far identified only 14 properties that were targeted in the attack and possibly gained access to customers' names, credit card numbers, security codes and card expiration dates.

In 13 of the 14 cases, the malware was only in the credit and debit card readers at the hotels' restaurants and gift shops. In only one location, the Radisson Star Plaza in Merrillville, Ind., was the hotel's main front desk computers also attacked. White Lodging Services is also headquartered in Merrillville.

The malware was in the hotel computers from March 20 to Dec. 16, 2013.

(Read more: Identity theft rises as crooks get more creative)

On Thursday, White Lodging also said it will provide one year of free personal identity protection through AllClearID to anyone who used a credit or debit card at food and beverage outlets at any of the 14. Consumers must sign up by May 7.

In the letter posted on its website, White Lodging also urged customers to guard their personal information.

"Please note when these type of incidents occur, some criminals seek to fraudulently obtain the personal information of affected individuals by claiming to be the business that experienced the incident. We advise you NOT to respond to any requests from entities requesting your sensitive personal information in relation to this incident," the statement reads.

How to fight back against identity theft

The Q&A on its site specifically addresses why the incident wasn't announced sooner.

"We were informed of the suspected breach on January 16, 2014 and then promptly contacted law enforcement engaged a security forensic firm and commenced the investigation. The forensic investigation, research to identify the affected locations and cards, the procurement of identity theft protection services and preparation of communications was conducted as fast as we could," the company states.

(

The investigation is ongoing and does not appear to be related to the massive data breach at Target stores. "We are examining the likely root causes of this incident and are taking steps designed to prevent a reoccurrence," the company said.

The 13 other hotels where the restaurant or gift shops' payment systems were attacked:

• Marriott Midway, Chicago
• Holiday Inn Midway, Chicago
• Holiday Inn Austin Northwest, Austin, Texas
• Sheraton Erie Bayfront, Erie, Pa.
• Westin Austin at The Domain, Austin, Texas
• Marriott Boulder, Boulder, Colo.
• Marriott Denver South, Denver
• Marriott Austin South, Austin, Texas
• Marriott Indianapolis Downtown, Indianapolis
• Marriott Richmond Downtown, Richmond, Va.
• Marriott Louisville Downtown, Louisville, Ky.
• Renaissance Plantation, Plantation, Fla.
• Renaissance Broomfield Flatiron, Broomfield, Colo.

Representatives for White Lodging and the hotels on Thursday either declined to comment on the record or did not respond to a request for further comment on the latest White Lodging statement.

(Read more: Hotels testing keyless entry via smartphone app)

—By CNBC's Amy Langfield. Follow her on Twitter at @AmyLangfield.

Follow Road Warrior on Twitter at @CNBCtravel.