Hundreds of thousands of transactions may have been compromised in the latest hack
Card payment systems at 20 hotels around the US, including Starwood, Marriott, Hyatt and Intercontinental locations, have been affected by a data breach that may have resulted in the theft of card data used in tens of thousands of transactions at food, drink, retail and other outlets, according to HEI Hotels & Resorts, which operates the hotels affected.
Malicious code designed to collect card data was found on payment systems used in restaurants, bars, spas, lobby shops and other facilities at the hotels in early to mid-June, HEI said on Sunday.
Six of the locations were affected beginning on 1 March, 2015 and the other 14 beginning after 2 December, 2015, with the malware active up until 21 June of 2016, meaning that in some cases the malware was active for more than a year, HEI said.
The breach affected 12 Starwood hotels, six Marriott International locations, one Hyatt and one Intercontinental hotel, HEI said.
Customer names, account numbers, payment card expiration dates and verification codes may have been stolen, but PIN codes were not affected as they are not collected by the system, according to outside experts cited by HEI.
HEI said the infection appeared to have gained access to card processing units following a hack of another part of the company’s computer network, and said it has now installed a payment processing system separate from the rest of the network.
The company apologised to customers and stated that the incident “has now been contained and individuals can safely use payment cards at all of our properties”.
HEI estimated that an average of around 10,000 transactions occurred during the period in question at some of the hotels, suggesting a total of roughly 200,000 transactions were affected, but said it was difficult to estimate how many customers might have been involved as some may have carried out multiple transactions.
The hotels affected included locations in Arlington, Virginia; Santa Barbara, California; Tampa, Florida; Minneapolis, Minnesota; Pasadena, California; Philadelphia, Pennsylvania; Snowmass, Colorado; Washington, D.C.; Fort Lauderdale, Florida; Manchester Village, Vermont; San Francisco, California; Miami, Florida; Nashville, Tennessee; Boca Raton, Florida; Dallas-Fort Worth, Texas; Chicago, Illinois and San Diego, California, HEI said.
Hotel chains targeted
Oracle confirmed last week that MICROS, its point-of-sale subsidiary, was affected by a breach that may have involved the theft of credentials used to remotely access point-of-sale devices, which could have given attackers the means to plant malware on such devices.
That attack appeared to be linked to Russian crime group Carbanak, according to security experts with knowledge of the investigation.
Are you a security pro? Try our quiz!