A data breach at hundreds of Hyatt hotels that was revealed in December was caused by point-of-sale device malware that stole victims’ payment card information in transactions in hotel restaurants, spas, golf shops, and other locations.

The malware was on PoS systems in more than 300 Hyatt hotels around the world, including dozens in the United States, the company said. Hyatt officials disclosed the breach last month, but the details of what caused the incident just came out this week after the company completed the investigation. The breach affects people who used cards at the compromised hotels between mid-August and early December.

“The investigation identified signs of unauthorized access to payment card data from cards used onsite at certain Hyatt-managed locations, primarily at restaurants, between August 13, 2015 and December 8, 2015. A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period. The at-risk window for a limited number of locations began on or shortly after July 30, 2015,” a Hyatt statement says.

PoS malware has become a favorite tool for attackers looking to harvest as much stolen data as possible in a short amount of time. Traditional phishing and phone fraud scams still are quite effective, but they are not as efficient at stealing large volumes of information as a PoS malware infection can be. The Target data breach is the most prominent example of the kind of damage that a large-scale PoS malware infection can inflict.

Hyatt has not disclosed how the infection began in its facilities.

“The malware was designed to collect payment card data – cardholder name, card number, expiration date and internal verification code – from cards used onsite as the data was being routed through affected payment processing systems. There is no indication that other customer information was affected,” Hyatt said in its statement.

The company said it is in the process of notifying affected customers now.

Image from Flickr stream of Ludovic Bertron.