They write:

Although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken from the Hotel’s payment card system or misused as a result of the incident, we are providing this notice out of an abundance of caution to inform potentially affected customers of the incident and to call their attention to some steps they may choose to take to help protect themselves. While the independent forensic investigator did not find evidence that information was taken from the Hotel’s systems, it appears that there may have been unauthorized malware access to payment card information as it was inputted into the payment card systems. Payment card data (including payment card account number, card expiration date, security code, and cardholder name) of individuals who used a payment card at the Hotel between May 19, 2014, and June 2, 2015, may have been affected.

Those notified are being offer credit protection monitoring if they are U.S. residents.

The notification letter does not indicate how Trump Hotel Collection first became aware of the malware, nor how many customers are being notified.

Note: As a reminder, Brian Krebs broke the story in July about how the hotel collection might be impacted, but it was not just one hotel that was suggested as impacted, and the breach was thought to have begun in February, perhaps. So here we are in September, and the hotel is still claiming that there’s no evidence of data exfiltration or misuse, months after banks suspected them as the common point of compromise? Hmmm….

UPDATE 1: Although the notification mentions only one property, a notice on their website mentions that customers of 7 properties may be impacted. From their FAQ: