White Lodging Services, the company that manages hotels in eight states victimized by a customer data breach, said in a statement Thursday that it first learned of the nine-month malware attack on Jan. 16, more than two weeks before the news was made public.
A spokesman for one of the hotels told CNBC his organization was not notified by White Lodging until Jan. 31, the same day it was first reported by security researcher Brian Krebs on his Krebs on Security website.
The breach hit 14 hotels, including ones owned by Marriott, Starwood, Intercontinental and Carlson Rezidor or their franchisees, possibly giving access to customers' names, credit card numbers, security codes and card expiration dates.
In 13 of the 14 cases, the malware was only in the credit and debit card readers at the hotels' restaurants and gift shops. At the Radisson Star Plaza in Merrillville, Ind., the hotel's main front desk computers also were attacked. White Lodging Services is headquartered in Merrillville.
The malware was in the hotel computers from March 20 to Dec. 16, 2013.
In a letter posted on its website, White Lodging addressed why the incident wasn't announced sooner.
"We were informed of the suspected breach on January 16, 2014 and then promptly contacted law enforcement(,) engaged a security forensic firm and commenced the investigation. The forensic investigation, research to identify the affected locations and cards, the procurement of identity theft protection services and preparation of communications was conducted as fast as we could," the company wrote.
White Lodging said Thursday it would provide one year of free personal identity protection to anyone who used a credit or debit card at food and beverage outlets at any of the 14 hotels.