NEW YORK (AP) — Hyatt, Sheraton, Marriott and Westin hotels in 10 states and the District of Columbia may have been targeted by hackers for months.

According to the hotel operator HEI Hotels & Resorts, malware put into place in at least 20 locations may have collected names, card account numbers, card expiration dates and verification codes.  See response from HEI Hotels & Resorts here.

Data from customers may have been collected from early December, through late June. At some properties, HEI said, data collection may have begun as early as March 2015.

Here’s a look at the specific hotels and locations that may have been compromised:

CALIFORNIA:

Hyatt Centric Santa Barbara

Le Meridien San Francisco

Renaissance San Diego Downtown Hotel

San Diego Marriott La Jolla

The Westin Pasadena

COLORADO:

The Westin Snowmass Resort in Snowmass Village

FLORIDA:

Boca Raton Marriott at Boca Center.

Intercontinental Tampa Bay.

Royal Palm South Beach Miami

Westin Fort Lauderdale

ILLINOIS:

Hotel Chicago Downtown

MINNESOTA:

The Hotel Minneapolis Autograph Collection

The Westin Minneapolis

PENNSYLVANIA:

The Westin Philadelphia

TENNESSEE:

Sheraton Music City Hotel in Nashville.

TEXAS:

Dallas Fort Worth Marriott Hotel & Golf Club.

VERMONT:

Equinox Resort Golf Resort & Spa in Manchester Village

VIRGINIA:

Le Meridien Arlington

Sheraton Pentagon City, Arlington

DISTRICT OF COLUMBIA

The Westin Washington, D.C. City Center

The company says the incident has been contained and customers can safely use cards at all of its properties.