Two months after KrebsOnSecurity first reported that multiple banks suspected a credit card breach at Hilton Hotel properties across the country, Hilton has acknowledged an intrusion involving malicious software found on some point-of-sale systems.

According to a statement released after markets closed on Tuesday, the breach persisted over a 17-week period from Nov. 18, 2014 to Dec. 5, 2014, or April 21 to July 27, 2015.

“Hilton Worldwide has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems,” the company said. “Hilton immediately launched an investigation and has further strengthened its systems.”

Hilton said the data stolen includes cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs).

The company did not say how many Hilton locations or brands were impacted, or whether the breach was limited to compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties �" as previously reported here.

The announcement from Hilton comes just five days after Starwood Hotel & Resorts Worldwide �" including some 50 Sheraton and Westin locations �" was hit by a similar breach that lasted nearly six months.

Starwood and Hilton join several other major hotel brands in announcing a malware-driven credit card data breach over the past year. In October 2015, The Trump Hotel Collection confirmed a report first published by KrebsOnSecurity in June about a possible card breach at the luxury hotel chain.

In March, upscale hotel chain Mandarin Oriental acknowledged a similar breach. The following month, hotel franchising firm White Lodging allowed that �" for the second time in 12 months �" card processing systems at several of its locations were breached by hackers.

Readers should remember that they are not liable for unauthorized debit or credit card charges, but with one big caveat: the onus is on the cardholder to spot and report any unauthorized charges. Keep a close eye on your monthly statements and report any bogus activity immediately. Many card issuers now let customers receive text alerts for each card purchase and/or for any account changes. Take a moment to review the notification options available to you from your bank or card issuer.

Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators. He was recently profiled in Business Week and by Poynter.org.

www.krebsonsecurity.com