The Sheraton and Westin hotels at Crown Center were among 54 properties where hackers were able to see debit and credit card information of some diners and shoppers, hotel owner Starwood said Friday.
Starwood said malware was found in payment systems at restaurants, gift shops, bars and other retail areas within hotels, but not at the front desk where guests pay for their stay.
Stamford, Conn.-based Starwood said the malware exposed the names on the cards as well as card numbers, security codes and expiration dates. Contact information and PINs were not exposed, the company said, and its loyalty program wasn’t affected.
An online list of hotels involved showed the Sheraton Kansas City Hotel at Crown Center had its “payment card security issue” from March 2 to April 16 this year. The Westin Kansas City at Crown Center had its issues from Nov. 7, 2014, to April 5.
Each of the Crown Center hotels has a warning notice on its website.
Other hotel companies have announced this year that they were hacked, including the Trump Hotel Collection and Mandarin Oriental.
Most of the affected Starwood hotels are in the U.S., including a St. Regis in Bal Harbour, Fla., and Sheraton, Westin and W locations in Los Angeles, New York, Boston and several other cities. Two were in Canada, and another hotel was in Puerto Rico.
Starwood said the malware, which has since been removed, infected payment systems since as early as November 2014.
The announcement comes the same week that Bethesda, Md.-based Marriott International Inc. said it planned to buy Starwood Hotels & Resorts Worldwide Inc. for $12.2 billion. The deal, which is expected to be completed in the middle of next year, would create the world’s largest hotelier by combining Starwood’s 1,275 properties with Marriott’s more than 4,300.
The Star’s Mark Davis contributed to this story.