Holiday Inn Express
Holiday Inn Express Ardfern/Wikimedia Commons

A data breach of InterContinental Hotels Group’s (IHG) systems that led to stolen credit card information from customers is considerably worse than originally reported by the company, according to a report from Brian Krebs.

In February, when IHG first acknowledged the hack, it claimed just 12 of its properties were affected. New data released from the company shows that more than 1,000 of its locations were hit and had credit card data stolen.

IHG properties include Holiday Inn, Holiday Inn Express, InterContinental, Staybridge Suites, Kimpton Hotels and Crowne Plaza.

Read: Hilton Hotels Confirms Credit Card Breach, Chain Mum On Impacted Locations

The data breach appears to have been the result of a malware attack that compromised a number of the company’s computer systems. That malicious software was able to access payment data from the front desk computers, resulting in the likely theft of thousands of credit cards.

According to a statement from IHG, the malware was able to read from the magnetic stripe of a card as it was being process through the hotel server. Compromised information likely includes cardholder name, card number, expiration date and internal verification code. The company believes is no other guest information was affected.

IHG has not disclosed an official number of hotels hit by the breaches, which took place between Sept. 29, 2016 and Dec. 29, 2016. However the company has published a list of hotels that have been affected, which includes all 50 states and locations in Puerto Rico.

Security reporter Brian Krebs estimates more than 1,000 locations were affected, and more could be added to the list in the future as IHG franchise locations continue to have their systems investigated by cyber forensics teams.

Read: Payday Loans Online Data Breach: Personal Information From 250,000 People Stolen From Company

Customers who may have been affected by the breach are advised to keep a close eye on their credit card transactions in order to catch any potentially suspicious activity. Card holders are not liable for fraudulent charges on their credit or debit cards, but do have to report the unauthorized transactions to the company that issued the card.

IHG also noted it has been “working closely with the payment card networks as well as with the cyber security firm to confirm that the malware has been eradicated.” The company said law enforcement also has been notified of the breach.