White Lodging Services, the company that manages hotels in eight states victimized by a customer data breach, said in a statement Thursday it first learned of the nine-month malware attack on Jan. 16, more than two weeks before the news was made public.
A spokesman for one of the hotels told CNBC his organization was not notified by White Lodging until Jan. 31, the same day it was first reported by security researcher Brian Krebs on his Krebs on Security website.
The breach hit 14 hotels, including ones owned by Marriott, Starwood, Intercontinental and Carlson Rezidor or their franchisees.
Antonio Saba | Cultura | Getty Images
White Lodging Services manages several hundred hotels that are owned by different companies. Its ongoing investigation has so far identified only 14 properties that were targeted in the attack and possibly gained access to customers' names, credit card numbers, security codes and card expiration dates.
In 13 of the 14 cases, the malware was only in the credit and debit card readers at the hotels' restaurants and gift shops. In only one location, the Radisson Star Plaza in Merrillville, Ind., was the hotel's main front desk computers also attacked. White Lodging Services is also headquartered in Merrillville.
The malware was in the hotel computers from March 20 to Dec. 16, 2013.
(Read more: Identity theft rises as crooks get more creative)
On Thursday, White Lodging also said it will provide one year of free personal identity protection through AllClearID to anyone who used a credit or debit card at food and beverage outlets at any of the 14. Consumers must sign up by May 7.
In the letter posted on its website, White Lodging also urged customers to guard their personal information.
"Please note when these type of incidents occur, some criminals seek to fraudulently obtain the personal information of affected individuals by claiming to be the business that experienced the incident. We advise you NOT to respond to any requests from entities requesting your sensitive personal information in relation to this incident," the statement reads.