To Top

US hotels hit by payment card slurping malware


The chain that owns Westin, Starwood, Marriott, Hyatt, Intercontinental and Le M?ridien hotels – HEI Hotels & Resorts – on Friday said that point-of-sale (POS) systems at several properties had been infected with malware that could let crooks get at customers’ credit card details, including names, card account numbers, expiration dates, and verification codes.

The intruders apparently didn’t gain access to PINs, since the POS system doesn’t collect them.

In a more detailed data breach notice, HEI listed 20 affected hotels, all in the US.

HEI said the breach has now been contained and that it’s safe to use payment cards at its hotels.

In an FAQ about the incident, the company said that it doesn’t store credit or debit card information, which leads it to believe that the malware was accessing payment card information “in real-time,” as it was being input into the POS systems.

HEI said it can’t determine if any particular customer was affected.

But based on forensics, it’s looking like customers who should be keeping an eye on their card statements to look for fraudulent transactions are those who made a payment card purchase at POS terminals – such as those in restaurants, bars, spas, lobby shops and other facilities – at the affected hotels during the dates listed in a table on the FAQ.

Those dates vary between hotels, but the earliest date for the breach seems to be March 2015, and the breaches continued until as late as June 2016 for some of those properties.

Unfortunately, you can’t expect a call or an email if you’ve been affected, given that HEI doesn’t store the card details and thus can’t tell who used the cards, or when, or where.

That also means that HEI isn’t sure how many customers have been affected. As it is, some customers could have used their cards multiple times, HEI spokesman Chris Daly told Reuters.

Daly said that some 8,000 transactions occurred during the affected period at the Hyatt Centric Santa Barbara hotel in California, and about 12,800 at the IHG Intercontinental in Tampa, Florida.

The malware affected 12 Starwood hotels, six Marriott properties, one Hyatt hotel and one Intercontinental hotel.

HEI discovered the breach some time in June. It didn’t say how.

But once it did uncover the card-slurping malware, the company shifted payment card processing to a stand-alone system, completely isolated from the rest of its network.

It disabled the malware and reconfigured POS and payment card processing systems to bolster the security – again, it didn’t give details of how – and help to prevent a recurrence.

The breach follows similar POS attacks on other hotels: in December, Hyatt said that 250 hotels were drained of card details, for example.

Other chains that have been hit by POS malware include the massive Target breach of 2013, which affected some 40 million payment card details.

At the beginning of 2014, Neiman Marcus waved goodbye to an undisclosed number of payment cards.

In June 2014 P.F. Chang’s China Bistro restaurant chain began investigating a potential breach, later confirming that payment cards used in a number of its restaurants may have been compromised.

In August 2014, we saw POS malware rear its ugly head once again as Supervalu disclosed a breach. The retailer said it was investigating the potential theft of payment card data from as many as 200 of its stores.

In September 2014 we saw another huge breach as 56 million payment cards were compromised after custom malware was used to target Home Depot’s POS systems.

Weren’t chip cards supposed to stop this?

As we’ve noted in the past, the only possible good to come from so many data breaches is the potential hastening of the death knell for the magnetic stripe credit cards so beloved in the US.

Unlike the EMV Chip and PIN cards used by much of the rest of the world, the so-called magstripe cards are especially prone to being cloned by crooks.

Security journalist Brian Krebs predicted back in July 2015 that the end of mag stripe cards may well have been nigh, given that merchants will bear the cost of fraud undertaken with counterfeit cards unless they’ve installed chip-enabled card readers:

In October 2015, merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards.

…but the fact that we’re still hearing about POS breaches means we’ve still got a way to go.

As of February, months after that October 2015 deadline, only 37% of US retailers were ready to process chip-embedded credit and debit cards.

Here’s a representative comment submitted to a survey of retailers, as quoted by Ars Technica:

This has been a major pain in the a$$. Terminal manufacturers weren’t ready, the processors and certification people weren’t ready; we spend more of our own $$ to clean up their mess.

What to do?

For retailers: Beyond the hassle of installing the new card readers, you might also want to read our 6 tips for keeping your data safe and revisit your incident response plans.

For hotel patrons: Review your credit and debit card account statements as soon as possible in order to sniff out any bogus charges. See something fishy? Call the company that issued the card immediately.

For everyone with a network: Consider dividing up your network so that crooks who invade one part of it can’t roam around at will and implant malware on cash registers and other customer-facing computers. HEI separated off its payment computers after this breach, but doing it proactively is a much better plan!

By the way, even though taxpayer IDs weren’t included in the HEI breach, the company’s prepared a reference guide to identity theft protection that describes what steps customers can take to help protect themselves, including recommendations from the Federal Trade Commission regarding identity theft protection.


More inUncategorized

  • Long Island’s Dirtiest Police Chief

    When you’re a cop, you’re already expected to be dirty. But not every cop can be just like James Burke. You...

    Christine KingsMay 31, 2017
  • Police Hurting Innocent People

    Just because they have badges doesn’t mean that they have the right to harm innocent people. However, they still find a...

    Christine KingsMay 31, 2017
  • Death in Police Custody

    Dying in the hands of cops is a terrifying way to go. But what if you’re just sitting in a jail...

    Christine KingsMay 31, 2017
  • Mistaken Identity by Police

    Police officers aren’t exactly the brightest bulbs out there. They’re pretty known for mistaking a person for someone else and sometimes,...

    Christine KingsMay 31, 2017
  • NYPD Corruption and Misconducts

    One of the most prominent cop teams all over the world is the NYPD. They’re famous for the city that they...

    Christine KingsMay 31, 2017
  • DUI Arrests Continue To Decline

    The number of arrests due to driving while impaired has decreased consistently.  But every holiday, law enforcement continues to spend thousands...

    Brent McAllisterMay 31, 2017
  • The Case of Tamir Rice

    While police brutality towards African-Americans is not exactly unheard of, things only become even more appalling when you discover that they...

    Christine KingsMay 31, 2017
  • Hands Up, Don’t Shoot – The Shooting of Michael Brown

    During recent times, there seems to be a never ending trend of African-Americans being arrested and/or killed by law enforcement just...

    Christine KingsMay 31, 2017
  • The Case of Sandra Bland

    Dying while you’re in police custody seems like a horrible way to go. However, some infamous cases that got the attention...

    Christine KingsMay 31, 2017

Privacy Preference Center