Hilton Hotels Hit By Payment Malware

Luxury hotel chain Hilton has revealed that some of its payment systems have been infected with malware that organised the theft of targeted customer information.

Cardholder names, payment card numbers, security codes and expiration dates were among the information targeted by the malware, which infected POS (Point of Sale) systems in hotels.

However, no addresses or personal identification numbers (PINs) were stolen, Hilton added, saying that it quickly eliminated the malware, which was uncovered by a third-party investigation authorised by the company.


Hilton is not revealing how many cards or customers were affected by the malware, but has advised anyone who used their cards during a 17-week period lasting from November 18 to December 5, 2014 or from April 21 to July 27, to check their bank statements.

Anyone who thinks they may have been affected by the breach is being offered a year’s worth of free credit monitoring.

“On behalf of Hilton Worldwide, we sincerely regret any inconvenience related to our recent announcement that we identified and eradicated unauthorised malware that targeted payment card information in some point-of-sale systems at our hotels,” Jim Holthouser, Hilton’s executive vice president of global brands, wrote in a statement.

“You have my personal assurance that we take this matter very seriously, and we immediately launched an investigation and further strengthened our systems.”

The hack is the second to affect a major hotel chain in a matter of days, after Starwood Hotels revealed it had suffered a similar breach of its payment systems.

The company said 54 North American locations were compromised by point-of-sale malware, which was designed to steal payment card information including cardholder name, card number, security code and expiration date.

The breaches shows that hospitality service providers face extraordinary challenges with customer data security at point of sale (POS), security experts have said.

“Point of sale (POS) systems – what consumers often call the checkout system – are often the weak link in the chain and the choice of malware,” said Mark Bower, HPE Security’s global director of product management, enterprise data security.

“Risks of theft from point of sale (POS) malware is totally avoidable. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. No live data means no gold to steal. Attackers don’t like stealing straw.”

Are you a security pro? Try our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Recent Posts

Gloucester City Council Confirms ‘Cyber Incident’

Council IT services hit by so called 'sleeper' malware, with media reports pointing the finger…

8 hours ago

Gigabyte Broadband Pledge At Risk, Warns Spending Watchdog

UK pledge to close the digital divide of broadband services for urban and rural customers…

10 hours ago

UK To Address Marketing Of High Risk Crypto Investments

British financial watchdog says it will curb the marketing of cryptoassets and other high-risk investments,…

12 hours ago

Tesla Driver Charged With Manslaughter After Autopilot Crash

Criminal charges for the first time in fatal crash involving Tesla's Autopilot, as driver is…

14 hours ago

Airport 5G Towers Switched Off In Temporary Aviation Compromise

AT&T and Verizon agree to temporarily switch off 5G towers near certain airports, as operators…

15 hours ago