Starwood Hotels Hacked


Starwood Hotels & Resorts recently announced that an undisclosed amount of customer payment card data may have been accessed when the point of sale systems at 54 of its hotels in North America were infected with malware.

A list of all affected hotels is available here [PDF].

"Promptly after discovering the issue, Starwood engaged third-party forensic experts to conduct an extensive investigation to determine the facts," the company said in a statement. "Based on the investigation, malware was detected that affected certain restaurants, gift shops and other point of sale systems at the relevant Starwood properties."

"The affected hotels have taken steps to secure customer payment card information and the malware no longer presents a threat to customers using payment cards at Starwood hotels," the company added.

The data collected by the malware includes cardholder names, payment card numbers, security codes and expiration dates.

"Quickly after we became aware of the possible issue, we took prompt action to determine the facts," Sergio Rivera, Starwood President, The Americas, said in a statement. "We have been working closely with law enforcement authorities and have been coordinating our efforts with the payment card organizations. We want to assure our customers that we have implemented additional security measures to help prevent this type of crime from reoccurring."

All those affected are being offered one year of free access to identity protection and credit monitoring services from AllClear ID. Customers with questions are advised to contact (855) 270-9179.

The announcement comes just days after Marriott International announced plans to acquire Starwood Hotels & Resorts.

Tripwire security researcher Lane Thames told eSecurity Planet that every company with a payment processing system of any kind will inevitably be a target in today's interconnected world. "Merchants and consumers all need to understand this, because no one is immune from the vast infestation of malware and malicious actors roaming around the Internet these days -- and it won't be changing for the better for the near future," he said.

And Protegrity CEO Suni Munshani noted by email that the hospitality industry is having a difficult year in terms of keeping its customers' payment information secure. "You would think after all the well-publicized hacking events that other chains would have stepped up their data security efforts to avoid being the next data breach poster child," he said. "The last thing someone wants to do during the holiday season is have to replace their credit cards."

In the hospitality industry, other recent victims of payment card breaches include Trump Hotels, Hilton Hotels, Mandarin Oriental, and Marriott hotels run by franchise operator White Lodging.

Recent eSecurity Planet articles have offered advice on strengthening database security and improving point-of-sale security.