According to the hotel chain's investigation, the malware was active from September 29th to December 29th, 2016. Since it was designed to pilfer info from a card's magnetic stripe, the company believes it could have stolen guests' CC numbers, expiration dates and verification codes. The malware showed no signs of activity after December 29th, but IHG wasn't able to remove it from cash registers until around March 2017.

Based on IHG's tool, only hotels in the US and Puerto Rico were affected, but a spokesperson told USA Today that the company still isn't done investigating its other properties. The chain could very well update the tool later with even more locations in other parts of the globe. Those who stayed in any IHG-owned property late last year may want to keep a close eye on their credit card transactions.