Between approximately August 13 and December 8, 2015, POS malware infected payment processing systems at 250 Hyatt-managed hotels across 50 countries, including 100 hotels in 26 U.S. states. Hyatt first disclosed it was investigating a payment card data incident on December 23, 2015, and published the full list of 250 affected hotels on January 14, 2016. The malware primarily targeted restaurant and food/beverage POS terminals; a smaller percentage of compromised systems were at spas, golf shops, parking facilities, and front desks. Exposed data included cardholder names, card numbers, expiration dates, and internal verification codes from magnetic stripe reads. Hyatt offered free credit monitoring and identity theft protection to affected customers. The company implemented additional security measures including tokenization and end-to-end encryption. Note: Hyatt suffered a separate, second data breach in 2017 affecting payment card systems at 41 hotels in 11 countries, disclosed October 2017 — that incident is a distinct breach.