Cardholder details and payment information amongst data stolen, hotel firm confirms
Luxury hotel chain Hilton has revealed that some of its payment systems have been infected with malware that organised the theft of targeted customer information.
Cardholder names, payment card numbers, security codes and expiration dates were among the information targeted by the malware, which infected POS (Point of Sale) systems in hotels.
However, no addresses or personal identification numbers (PINs) were stolen, Hilton added, saying that it quickly eliminated the malware, which was uncovered by a third-party investigation authorised by the company.
Hilton is not revealing how many cards or customers were affected by the malware, but has advised anyone who used their cards during a 17-week period lasting from November 18 to December 5, 2014 or from April 21 to July 27, to check their bank statements.
Anyone who thinks they may have been affected by the breach is being offered a year’s worth of free credit monitoring.
“On behalf of Hilton Worldwide, we sincerely regret any inconvenience related to our recent announcement that we identified and eradicated unauthorised malware that targeted payment card information in some point-of-sale systems at our hotels,” Jim Holthouser, Hilton’s executive vice president of global brands, wrote in a statement.
“You have my personal assurance that we take this matter very seriously, and we immediately launched an investigation and further strengthened our systems.”
The hack is the second to affect a major hotel chain in a matter of days, after Starwood Hotels revealed it had suffered a similar breach of its payment systems.
The company said 54 North American locations were compromised by point-of-sale malware, which was designed to steal payment card information including cardholder name, card number, security code and expiration date.
The breaches shows that hospitality service providers face extraordinary challenges with customer data security at point of sale (POS), security experts have said.
“Point of sale (POS) systems – what consumers often call the checkout system – are often the weak link in the chain and the choice of malware,” said Mark Bower, HPE Security’s global director of product management, enterprise data security.
“Risks of theft from point of sale (POS) malware is totally avoidable. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. No live data means no gold to steal. Attackers don’t like stealing straw.”
Are you a security pro? Try our quiz!