Starwood hotels runs Sheraton, Westin, and W brands, along with the Swan and Dolphin at the Walt Disney World Resort.
The company said malware was found in payment systems at restaurants, gift shops and other retail locations within hotels, but not at front desk locations.
Starwood said the malware exposed names, as well as card numbers, security codes and expiration dates.
According to the release, contact information and PIN numbers were not exposed and its loyalty program wasn't affected.
The Dolphin hotel was subject to the data breach between Nov. 5, 2014 and April 13, 2015. The Swan hotel was not affected. Also affected were the Sheraton, Westin and W locations in Los Angeles, New York, Boston and several other cities.
A full list of the hotels is on the Starwood Hotels website. Starwood said the malware has since been removed.
Customers with questions can call Starwood at 1-855-270-9179, Monday through Saturday from 8 a.m. to 8 p.m. Central time.
The company is urging anyone who visited the hotels to check their credit report.
Starwood has also arranged for All Clear ID to provide protection and credit monitoring services for affected customers for one year.