Hilton Hotels has confirmed a security breach that experts first suspected as early as August. The attacks – some dating back more than a year – involved malware loaded on point-of-sale systems in some of Hilton’s restaurants and gift shops.

The hotel chain said in a press release that it has identified and taken action to remove the malware, adding that it immediately launched an investigation into the matter and strengthened its systems to prevent against future attacks.

Working with law enforcement, third-party forensics experts and payment card companies, Hilton determined that payment information including cardholder names, card numbers, security codes and expiration dates were targeted. The company said addresses and personal identification numbers weren’t compromised.

The malware was active between November 18, 2014 and December 5, 2014, as well as between April 21 and July 27 of this year. Hilton refused to disclose how many cards were impacted, instead urging customers to review and monitor their payment card statements if they stayed at one of the hotel’s locations during the aforementioned period.

Hilton’s portfolio includes Hilton Hotels & Resorts, Waldorf Astoria Hotels & Resorts, Conrad Hotels & Resorts, Canopy by Hilton, Curio - A Collection by Hilton, DoubleTree by Hilton, Embassy Suites by Hilton, Hilton Garden Inn, Hampton by Hilton, Homewood Suites by Hilton, Home2 Suites by Hilton and Hilton Grand Vacations.

Hilton is offering those affected by the breach a free year of credit monitoring service through AllClear.