Another 20 US hotels have been identified as being infected with point-of-sale malware earlier this year.
The dozen affected hotels are run by HEI Hotels & Resorts and bear the Starwood, Westin, Marriott International, Hyatt and InterContinental brands.
The chain says the malware campaign ran as far back as March 2015, with fourteen hotels affected after December 2, and didn't end until June 21 of this year.
According to Reuters, card data from tens of thousands of transactions could be at risk; HEI is still working out how many individual customers might have their names, card numbers, card expiry dates, and CCV numbers compromised.
The infected systems were used in restaurants, bars, spas, shops and other facilities.
It's been a horror month for the hospitality sector, which is scrambling to respond to the high-profile Oracle MICROS vulnerability.
Since acquiring MICROS, Oracle has consigned much of that company's media release history to the memory hole, but Hyatt was touted as a MICROS customer in 2003, and Marriott signed with the company in 2013. ®
Sponsored: Webcast: Simplify data protection on AWS