Point-of-Sale Breach Hits Hyatt, Marriott, InterContinental, Starwood Hotels

HEI Hotels and Resorts recently announced that 20 of its properties appear to have been hit by a point-of-sale (POS) breach that may have exposed the payment card information (including names, account numbers, expiration dates and verification codes) of customers who used payment cards to make purchases at POS terminals at its properties.

The company was alerted to the breach by its card processor. “We do not store credit or debit card number of our customers,” HEI stated in a FAQ. “We believe that the malware may have accessed payment card information in real time as it was being inputted into our systems.”

“After learning of the incident, we took prompt steps to address and contain it, including transitioning payment card processing to a standalone system that is completely separated from the rest of our network and disabling the malware and have reconfigured our point-of-sale and payment card processing systems to enhance the security of these systems and to help prevent this type of incident from happening again in the future,” the company added.

The 20 affected hotels include the Boca Raton Marriott at Boca Center, Dallas Fort Worth Marriott Hotel & Golf Club, Equinox Resort, Hotel Chicago Downtown, Hyatt Centric Santa Barbara, InterContinental Tampa Bay, Le Meridien Arlington, Le Meridien San Francisco, Renaissance San Diego Downtown, Royal Palm South Breach Miami, San Diego Marriott La Jolla, Sheraton Music City, Sheraton Pentagon City, The Hotel Minneapolis Autograph Collection, Westin Minneapolis, Westin Pasadena, Westin Philadelphia, Westin Snowmass Resort, Westin Washington, D.C. City Center, and Westin Fort Lauderdale.

The dates affected vary by location, but range from March 2015 to June 2016.

Netsurion CISO John Christly told eSecurity Planet by email that hospitality companies need to understand that they’re in a digital war with cybercriminals. “And it’s a harsh reality that the war is being won far too often by these hackers,” he said. “Any business, regardless of size or vertical specialty, that processes payment data or offers free Wi-Fi to guests, is a lucrative breach target, but unfortunately, large chains like HEI have bull’s-eyes on their backs — enticing hackers with large quantities of valuable information such as credit card data for patrons, sensitive employee data for staff, and sometimes even medical data used by in-house care facilities.”

George Rice, senior director of payments for HPE Security-Data Security, said the breach highlights some of the unique challenges faced by the franchising industry. “According to reports, this data breach has only affected 20 hotel locations but is causing broad reputational damage to some of the largest hotel brands in the world,” he said. “Businesses must consider the far-reaching consequences of a data breach and require that their franchisees adhere to strict data security practices in order to avoid negative impacts.”

HEI Hotels’ breach announcement comes just days after Hold Security researchers announced that the same Russian hackers who breached a customer support portal for Oracle’s MICROS POS system also hit POS vendors Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell.

Visa also recently issued a security alert warning Oracle MICROS users to check their machines for malware or unusual activity, and to change all MICROS passwords, KrebsOnSecurity reports. “We also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems,” the notice states.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles