Mandarin Oriental Hotels Hacked
Hotels in Boston, Las Vegas, Miami, New York and Washington, D.C., are likely affected.
Financial industry sources had notified Krebs of a pattern of fraudulent charges on customer payment cards, all of which had recently been used at Mandarin Oriental locations.
The breach appears to date back to just before Christmas 2014.
While Mandarin Oriental hasn't yet stated which of its hotels are impacted, Krebs' sources said the breach almost definitely affected Mandarin Oriental locations in Boston, Las Vegas, Miami, New York and Washington, D.C.
"We can confirm that Mandarin Oriental has been alerted to a potential credit card breach and is currently conducting a thorough investigation to identify and resolve the issue," the company told Krebs by email. "Unfortunately incidents of this nature are increasingly becoming an industry-wide concern."
"The Group takes the protection of customer information very seriously and is coordinating with credit card agencies and the necessary forensic specialists to ensure our guests are protected," Mandarin Oriental added.
Krebs says the breach may only affect payment terminals at bars, restaurants and gift shops in the affected hotels, rather than the hotel front desk systems. That was also the case in a recent breach at several Marriott hotels run by White Lodging Services, as well as a previous breach in 2013 at 14 hotels run by the same franchise operator.
Rapid7 global security strategist Trey Ford told eSecurity Planet by email he's frustrated to see so many breaches continuing to occur. "The payment card industry has built a data security standard (the PCI-DSS) in an effort to improve the security programs of all companies that handle credit cards," he said. "After a breach, the payment brands have a forensic investigation performed to understand how the criminals succeeded, and improve the odds of pursing the perpetrators."
"While the payment brands get the detailed report, the rest of the industry does not," Ford added. "Maybe we will see Mandarin step up and explain how exactly they were compromised, and how other organizations can prevent attackers from using the same technique."
Ford suggests that anyone who recently stayed at a Mandarin Hotel location consider contacting their credit card company and requesting a new card. "As the trend of corporate compromise continues, I would encourage all consumers to keep a watchful eye on your statements, doubly so if you use your debit card routinely," he said.
Photo courtesy of Shutterstock.