Last February, Mandarin Oriental discovered that some of its systems had been infected with malware capable of stealing customer card data during the previous nine months.
The company said the malware was never detected by the anti-viral systems it was using. The luxury hotel chain was instead alerted by its payment card processors that credit card systems at some of its hotels may have been compromised.
Today the company revealed details from its nearly four-month investigation. It said that its systems that manage point-of-sale purchases at select hotels in the US and Europe were made vulnerable.
The perpetrator hasn't been caught yet. Said the company:
"It appears the hacker may have used that malware to acquire the credit card numbers and, in some instances, the names of individuals who used a credit card for dining, beverage, spa, guest rooms, or products and other services at the affected Mandarin Oriental properties...
It appears this malware was designed to access the credit card numbers at the time of transaction as they were being transmitted.
We have not found any evidence of acquisition or misuse of pin numbers or the 3- to 4- digit security code printed on the credit card, or any other personal guest data...."
The cagily worded statement doesn't say if any customer has actually had their credit card information misused.
Here are the affected properties and times:
Mandarin Oriental, Boston between June 18, 2014 and March 12, 2015
Mandarin Oriental, Geneva between June 18, 2014 and March 3, 2015
Mandarin Oriental, Hong Kong between June 18, 2014 and February 10, 2015
Mandarin Oriental Hyde Park, London between June 18, 2014 and March 5, 2015
Mandarin Oriental, Las Vegas between June 18, 2014 and October 16, 2014
Mandarin Oriental, Miami between June 18, 2014 and March 3, 2015
Mandarin Oriental, New York between June 18, 2014 and January 18, 2015
Mandarin Oriental, San Francisco between June 18, 2014 and February 14, 2015
Mandarin Oriental, Washington DC between June 18, 2014 and January 20, 2015
The Landmark Mandarin Oriental, Hong Kong between June 18, 2014 and February 3, 2015
Mandarin Oriental says it has attempted to contact guests whose data may have been compromised and has set up a call center to handle questions.
"We issued a letter directly to guests whose contact information we had, if we determined during forensic investigation that their credit card numbers may have been acquired without authorization."
EARLIER: Mandarin Oriental: Undetectable malware stole our credit card data
READ THIS NEXT: Three luxury hotels are victims of spectacular hackings, says security firm
NB: Image of The Landmark, Hong Kong -- affected by the malware between 18 June 2014 and 3 February 2015 -- courtesy of Mandarin Oriental.