Omni Hotels, Noodles & Company, NC State Acknowledge Data Breaches

Omni Hotels & Resorts recently announced that point-of-sale systems at “some Omni properties” were infected with malware designed to collect payment card data, including cardholder names, credit or debit card numbers, security codes and expiration dates.

The Wall Street Journal reports that 49 of Omni’s 60 North American hotels were affected, and that over 50,000 payment card numbers related to the breach have been sold online by a hacker using the handle JokerStash.

Andrei Barysevich, director of cybercrime research at Flashpoint, told the Journal that hackers have been using the stolen card data to make fraudulent purchases since February.

The malware infections were discovered on May 30, 2016. “Upon learning of the intrusion, we promptly engaged leading IT investigation and security firms approved by the major credit card companies to determine the facts and contain the intrusion,” the company said in a statement. “The issue has been resolved, and we have taken steps to further strengthen our systems.”

“The attacks did not affect all of our hotels, and depending on the location, the malware may have operated between December 23, 2015 and June 14, 2016, although most of the systems were affected during a shorter timeframe,” the company added.

Only those guests who physically presented their payment cards at affected locations may be impacted by the breach. All those affected are being offered one year of free access to identity protection services from AllClear ID.

A separate point-of-sale breach impacted more than 400 Noodles & Company locations in 28 states between January 31 and June 2, 2016, Kaspersky reports.

The company began investigating unusual activity reported by its credit processor on May 17, and the breach was discovered on June 2.

“Since that time, Noodles & Company has been working with third-party forensic investigators to determine how the security compromise occurred and what information was affected,” the company said in a statement. “The company is also working to implement additional procedures to further secure guests’ debit and credit card information, including removing the malware at issue to contain this incident and to prevent any further unauthorized access to guests’ debit or credit card information.”

A list of affected Noodles & Company locations is available in a FAQ here.

Regarding the Noodles & Company breach, Brad Bussie, director of product management at STEALTHbits Technologies, told eSecurity Planet by email that it’s important to keep in mind that any malware needs a delivery mechanism. “Payment card systems and point of sale systems should be completely isolated and hardened to create a minimal attack surface,” he said.

“Organizations that allow removable devices, Internet browsing, and email on payment card networks are literally asking for a breach,” Bussie added. “When you cut off the traditional methods of malware propagation, the number of breaches will fall significantly. Companies should re-evaluate the systems they have deployed and — if they’re not already — start putting security first.”

Separately, North Carolina State University (NC State) recently announced that a “sophisticated phishing scam” provided an unauthorized person with access to a university email account containing 38,000 people’s personal information, WRAL reports.

The breach, which was discovered on June 3, 2016, exposed names, 2013 home addresses, student ID numbers and Social Security numbers.

“NC State has taken aggressive steps to avoid future unauthorized access to personal information,” the university said in a statement. “NC State has removed files and emails containing Social Security numbers from the compromised account, NC State has required affected users and members within the affected unit to change their account credentials and increase security protocols, including 2-step verification for account access as well as required additional and focused information security protocols be implemented throughout campus to all systems containing sensitive data.”

All those affected are being offered one free year of access to credit monitoring services.

A recent Centrify survey found that 66 percent of adults in the U.S. and 75 percent of adults in the U.K. are at least somewhat likely to stop doing business with a company that has suffered a data breach — and 21 percent of U.S. adults are very likely to do so.

“When companies put customer data at risk they are really putting their entire business at risk,” Centrify CEO Tom Kemp said at the time.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles