And in March, the Westin Bonaventure Hotel & Suites in Los Angeles issued a press release announcing that some type of breach had occurred at its four restaurants and at the valet parking stand. The hotel believes the theft took place between April 2009 and December 2009 but would not say how many people were affected.
McCullen said Trustwave could not provide details about any of the hacks his company tracks because many of the hotel chains are his clients.
Hotels know about the severity of the problem and say they are combating it.
"We've seen it in the last couple of years," said Joseph A. McInerney, president of the American Hotel & Lodging Association. "It's a majority priority from all the hotel companies. We want to try to keep the information of our customers secure."
But not everybody is so convinced of the risk at hotels.
Linda Foley, founder of the non-profit Identity Theft Resource Center, said she sees more reports about restaurants still than hotels.
"It seems to me that restaurants are really being targeted right now," she said.
However, Foley said that her information is mostly anecdotal, based on every possible publically reported breach. And that's the problem, since there is no central database of all hacks let alone details about those that are reported, she said. Nearly half of the reported breaches don't state how many records were involved.
"What we know is probably the tip of the iceberg," Foley said. Companies might have sent out letters to people whose cards were compromised, "but nobody called the press to complain."
Foley said that the New Hampshire Attorney General's office keeps an up-to-date list of all the breach letters they get. It's the best in the nation, she said, with nobody else maintaining such a comprehensive listing.
As for Trustwave, she said, "part of their goal is to keep [the breaches] out of the public eye."
She suggested a central database that could be maintained by the Federal Trade Commission or the Secret Service, which investigates such frauds.
So what can you do as a consumer?
Not much. Credit card companies don't hold customers responsible for such charges as long as they are reported in a timely manner.
McCullen suggests getting a copy of your room bill and holding onto it for 30 days. Then, he said, check your statements carefully to ensure no fraudulent charges. It's best to do it frequently online.
Sometimes, it could take months for a charge to appear.
"The sophisticated hackers," he warned, "will be patient."