Luxury chain Trump Hotel Collection has confirmed its five-star Toronto inn was among seven hit earlier by malware inserted into the company’s front desk and point of sale credit/debit payment card system in 2014.

An unknown number of customers have been warned that payment card account number, card expiration date and security code may have been copied as the data went into the payment card system in the hotels there and in two properties in New York City, and one each in Miami, Chicago, Las Vegas and Waikiki, the company says in a statement on its Web site. In addition, cardholder names may also have been copied at the point-of-sale machines in restaurants, gift shops and other places in Las Vegas and Waikiki.

Unaffected were Trump properties in Scotland, Ireland, Panama or any Trump Estate sites.

To those who used payment cards during the 12 months the malware was on its systems Trump has offered one year of complimentary fraud resolution and identity protection services from Experian, which it describes as “a leading provider of identity protection services.” That’s the same Experian that yesterday acknowledged data on 15 million T-Mobile USA wireless customers had been stolen from its consumer credit bureau. “This incident did not impact Experian’s consumer credit database,” the company said.

In its statement Trump said that “although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken from the properties’ payment card system or misused, we are providing this notice out of an abundance of caution to inform potentially affected customers of the incident and to call their attention to some steps they may choose to take to help protect themselves.”

The malware has been removed and systems are being reconfigured.

There has been no reply to an email sent to the company’s public relations firm for more details.

Trump properties, with the upscale clientele, would understandably be a juicy target for an attacker. Hotels and hospitality-related facilities are favourite targets of attackers, said Christopher Budd, a global threat communications manager at security vendor Trend Micro. For example, security blogger Brian Krebbs — who first reported the Trump breach — said last week the Hilton chain is investigating reports that POS systems in restaurants and gift shops in the U.S. had been compromised.

“Generally people (attackers) are hitting the gift shop and cash resister payment points rather than the check-in or reservation system,” Budd said, because these systems are “lightly guarded.”

“Point of sale terminals tend to be out of date in terms of operating systems — a lot are still running Windows XP.” And if attackers don’t want to be bothered hacking into systems, they can sometimes do it by hand. Budd recalled an incident where an attacker placed malware on the terminal of U.S.-based Nordstrum department store, probably using a thumb drive.

Two new POS variants targeting small and medium businesses have emerged this week, he added.