Starwood Hotels Admits Payment System Breach

data breach, security

The hotel chain said 54 North American locations were compromised by point-of-sale malware

Starwood Hotels & Resorts Worldwide has become the latest hotel chain to report that payment systems at a number of its locations have been compromised by malicious software.

The hotel chain said on Friday that a third-party investigation found 54 of its locations in North America were infected with software designed to steal payment card information including cardholder name, card number, security code and expiration date.

Additional security measures

No personal customer data, such as contact information or personal identification numbers, was compromised and the malware has now been neutralised, according to Starwood.

The hotels’ own payment systems weren’t involved, with the malware infecting only systems belonging to third-party outlets such as restaurants and gift shops, Starwood said. The chain, which recently agreed to be acquird by Mariott International, said the hotels were affected for varying periods between November 2014 and October 2015.

The affected locations include the Sheraton New York Times Square hotel, the Westin New York Grand Central New York and The St. Regis Bal Harbour Resort in Florida. The chain said it has implemented additional security measures to prevent a re-occurrence of the incident.

As of last year Starwood owned or managed 1,222 properties around the world, including about 600 in North America.

Latest hotel breach

Last month The Trump Hotel Collection confirmed a breach of its payment systems, and Hilton said in September it was looking into reports of a malware infection of its card-processing systems.

Mandarin Oriental acknowledged a similar breach in March and hotel franchising firm White Lodging acknowledged a similar incident in April.

Point-of-sale devices are often targeted by hackers because they are a “weak link” in an organisation’s systems, according to Mark Bower, global director of product management, enterprise data security for HPE Security.

“They should be isolated from other networks, but often are connected,” he said in an advisory. “A checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data.”

Organisations can protect card data by encrypting it in the card-reading terminal before it reaches the point-of-sale system, Bower said.

Are you a security pro? Try our quiz!