The chain that owns Westin, Starwood, Marriott, Hyatt, Intercontinental and Le Méridien hotels – HEI Hotels & Resorts – on Friday said that point-of-sale (POS) systems at several properties had been infected with malware that could let crooks get at customers’ credit card details, including names, card account numbers, expiration dates, and verification codes.
The intruders apparently didn’t gain access to PINs, since the POS system doesn’t collect them.
In a more detailed data breach notice, HEI listed 20 affected hotels, all in the US.
HEI said the breach has now been contained and that it’s safe to use payment cards at its hotels.
In an FAQ about the incident, the company said that it doesn’t store credit or debit card information, which leads it to believe that the malware was accessing payment card information “in real-time,” as it was being input into the POS systems.
HEI said it can’t determine if any particular customer was affected.
But based on forensics, it’s looking like customers who should be keeping an eye on their card statements to look for fraudulent transactions are those who made a payment card purchase at POS terminals – such as those in restaurants, bars, spas, lobby shops and other facilities – at the affected hotels during the dates listed in a table on the FAQ.
Those dates vary between hotels, but the earliest date for the breach seems to be March 2015, and the breaches continued until as late as June 2016 for some of those properties.
Unfortunately, you can’t expect a call or an email if you’ve been affected, given that HEI doesn’t store the card details and thus can’t tell who used the cards, or when, or where.
That also means that HEI isn’t sure how many customers have been affected. As it is, some customers could have used their cards multiple times, HEI spokesman Chris Daly told Reuters.
Daly said that some 8,000 transactions occurred during the affected period at the Hyatt Centric Santa Barbara hotel in California, and about 12,800 at the IHG Intercontinental in Tampa, Florida.
The malware affected 12 Starwood hotels, six Marriott properties, one Hyatt hotel and one Intercontinental hotel.
HEI discovered the breach some time in June. It didn’t say how.
But once it did uncover the card-slurping malware, the company shifted payment card processing to a stand-alone system, completely isolated from the rest of its network.
It disabled the malware and reconfigured POS and payment card processing systems to bolster the security – again, it didn’t give details of how – and help to prevent a recurrence.
The breach follows similar POS attacks on other hotels: in December, Hyatt said that 250 hotels were drained of card details, for example.
Other chains that have been hit by POS malware include the massive Target breach of 2013, which affected some 40 million payment card details.
At the beginning of 2014, Neiman Marcus waved goodbye to an undisclosed number of payment cards.
In June 2014 P.F. Chang’s China Bistro restaurant chain began investigating a potential breach, later confirming that payment cards used in a number of its restaurants may have been compromised.
In August 2014, we saw POS malware rear its ugly head once again as Supervalu disclosed a breach. The retailer said it was investigating the potential theft of payment card data from as many as 200 of its stores.
In September 2014 we saw another huge breach as 56 million payment cards were compromised after custom malware was used to target Home Depot‘s POS systems.
Weren’t chip cards supposed to stop this?
As we’ve noted in the past, the only possible good to come from so many data breaches is the potential hastening of the death knell for the magnetic stripe credit cards so beloved in the US.
Unlike the EMV Chip and PIN cards used by much of the rest of the world, the so-called magstripe cards are especially prone to being cloned by crooks.
Security journalist Brian Krebs predicted back in July 2015 that the end of mag stripe cards may well have been nigh, given that merchants will bear the cost of fraud undertaken with counterfeit cards unless they’ve installed chip-enabled card readers:
In October 2015, merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards.
…but the fact that we’re still hearing about POS breaches means we’ve still got a way to go.
As of February, months after that October 2015 deadline, only 37% of US retailers were ready to process chip-embedded credit and debit cards.
Here’s a representative comment submitted to a survey of retailers, as quoted by Ars Technica:
This has been a major pain in the a$$. Terminal manufacturers weren’t ready, the processors and certification people weren’t ready; we spend more of our own $$ to clean up their mess.
What to do?
For hotel patrons: Review your credit and debit card account statements as soon as possible in order to sniff out any bogus charges. See something fishy? Call the company that issued the card immediately.
For everyone with a network: Consider dividing up your network so that crooks who invade one part of it can’t roam around at will and implant malware on cash registers and other customer-facing computers. HEI separated off its payment computers after this breach, but doing it proactively is a much better plan!
By the way, even though taxpayer IDs weren’t included in the HEI breach, the company’s prepared a reference guide to identity theft protection that describes what steps customers can take to help protect themselves, including recommendations from the Federal Trade Commission regarding identity theft protection.
LEARN MORE ABOUT DIVIDING UP YOUR NETWORK