According to investigative reporter Brian Krebs, sources in the banking industry have linked a pattern of credit card fraud to point-of-sale systems in gift shops and restaurants at Hilton properties throughout the United States.
Visa sent alerts to financial institutions in August 2015 warning of a breach at an unidentified company between April 21, 2015 and July 27, 2014. While Visa didn’t identify the company, sources at five different banks told Krebs they’ve determined that the only common point of purchase for the affected cards was Hilton properties, including not only Hilton Hotels but also Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts.
Sources told Krebs the breach may date back to November 2014, and may still be ongoing. It’s not yet clear which locations may be affected.
“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” a Hilton spokesperson told Krebs. “We have many systems in place and work with some of the top experts in the field to address data security.”
“Unfortunately, the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace,” the spokesperson added. “We take any potential issue very seriously, and we are looking into this matter.”
Like the recent breaches at Mandarin Oriental and White Lodging hotels, the breach seems to be linked to compromised point-of-sale systems at restaurants and gift shops in Hilton properties, not to their reservation systems.
Netsurion CEO Kevin Watson told eSecurity Planet by email that while there’s no silver bullet to block every threat, making sure that data doesn’t leave the network without the admin’s knowledge (and that if it is sent out, it only goes to verified Internet addresses) can make a significant difference. “Security must be layered with a properly managed firewall, data encryption, network segmentation, passwords and access controls, software updates and anti-virus/anti-malware software,” he said. “Along with protecting incoming traffic and preventing access by malicious actors, it’s critical to limit outbound Internet traffic as well.”
And iSheriff executive chairman James Socas said by email that POS devices simply can’t be a security afterthought for any company. “Given today’s growing security threat landscape, it’s a critical time for businesses to examine and enhance POS security capabilities,” he said.
“Today’s POS devices are mission critical, sophisticated business devices, and every POS implementation should have a robust, modern security solution,” Socas added. “It should leverage the power of the cloud, continuously update in real time to keep pace with dynamic POS-specific malware, and guard against today’s multi-layered threats.”
A recent eSecurity Planet examined the challenges of improving POS security.