Thousands of guests at US hotels may have had their credit and debit data stolen, suggests a security researcher.
The cache of data seems to have gone astray from computers belonging to White Lodging Services said independent researcher Brian Krebs.
The service company runs 168 franchised hotels in the US for the Hilton, Marriott, Sheraton and Westin chains.
White Lodging said it was currently conducting an investigation into how the data had been taken.
Mr Krebs said White Lodging's role in the breach emerged as banking industry fraud investigators were looking into a sustained pattern of purchases made on faked cards in Marriott hotels. Oddly, said Mr Krebs in a blogpost, the fraudulent purchases were made only at Marriott hotels in six separate cities rather than across the entire chain.
Further investigation revealed that the common factor in all those hotels was they were run by Indiana-based White Lodging.
The fraudulent purchases were made at the gift shops, restaurants and other shops at the hotels and were not used to pay for rooms, said Mr Krebs.
In a statement issued to Mr Krebs, White Lodging said: "We will provide meaningful information as soon as it becomes available."
In a separate statement, Marriott said it was "working closely" with its franchisee on the investigation.
The latest breach comes in the wake of other much larger attacks on US retailers that saw payment card details for millions of customers stolen.