White Lodging, the company behind some of the hotels in the US chains Hilton, Marriott, Sheraton and Westin, has been leaking thousands of guests’ credit and debit card information throughout much of 2013.
Security journalist Brian Krebs reports hearing from banking industry sources in January regarding a pattern of fraud on cards used at the hotels from about 23 March 2013 up until the end of 2013.
The fraud popped up in specific hotels located in the US cities of Austin, in Texas; Chicago, in Illinois; Denver, in Colorado; Los Angeles, in California; Louisville, in Kentucky; and Tampa, in Florida.
The common denominator, it turns out, is that all of the affected hotels in those locations contain businesses run by White Lodging Services Corporation, which owns, develops and/or manages premium hotel brands.
Krebs’s sources said that it was mainly the restaurants, gift shops and other businesses that White Lodging runs within some of the hotels that were targeted, as opposed to the front desk computers that check guests in and out.
That means that the only Marriott guests who should be affected are those who used their cards at gift shops and restaurants, Krebs notes.
White Lodging declined to give details, citing an ongoing investigation.
Marriott issued a statement saying that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.”
Krebs posted the rest of Marriott’s statement, which reads:
They are in the midst of the investigation and are in close contact with the banks and credit cards companies. We are working closely with the franchisee as they investigate the matter. Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide. As this impacts customers of Marriott hotels we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.
We don’t know how the White Lodging breach happened, perhaps they’ll end up joining the rapidly expanding list of companies where poisoned-point-of-sale (PoS) machines have been implicated:
- Target, from which at least 70 million stolen credit- and bank-card numbers were breached;
- Craft store Michaels, which first heard of the breach from law enforcement and card processors; and
- Neiman Marcus, yet another retailer to get drained during the holiday shopping time.
Sophos’s Chester Wisniewski and Numaan Huq have been tracking malware behind rigged PoS systems for more than three years and are on the brink of presenting their research at this year’s RSA Conference.
Marriott mentioned fraud “at a number of hotels across a range of brands”, which makes it sound like we still might well hear of other hotel brands serviced by White Lodging having been targeted.
So if you’ve been in a hotel, paid for something in a hotel restaurant or gift shop, bought crafting supplies, or basically touched any sliver of plastic in your wallet or purse at all whatsoever to buy so much as a gumball, keep an eye out for funky charges on your statement.