In-brief: Starwood Hotels said on Friday that it was the victim of a malicious software infection on point of sale (POS) systems at restaurants, just the latest in a string of high profile hotel chains to admit that it was the victim of a cyber attack involving compromises of point of sale systems and the theft of customer data.
Starwood Hotels said on Friday that it was the victim of a malicious software infection on point of sale (POS) systems at restaurants, just the latest in a string of high-profile hotel chains to admit that it was the victim of a cyber attack.
In a letter dated November 20, Starwood President of the Americas Sergio Rivera said that the hotel chain determined that the malicious software enabled “unauthorized parties to access payment card data” for Starwood customers including the cardholder name, payment card number, security code and expiration date. Starwood provided a list of more than 50 affected properties, including hotels under Starwood’s W, Westin, and Sheraton brands.
[Read more Security Ledger coverage of point of sale system hacks here.]
The affected properties include some of the more exclusive hotels in Starwood’s portfolio including Westin Maui Resort & Spa, The Westin St. Francis and The Palace Hotel in San Francisco and The W New York Hotel in Times Square. The compromises date back as far as November, 2014 and extend to as late as October of this year, according to Starwood data.
The company said that it hired a third-party forensic firm to conduct an investigation and that it is working with law enforcement and payment card organizations on the case. Based on company data, the initial infection was noted in December, 2014, though many locations remained infected through April, 2015, with the longest compromise lasting more than a year.
Starwood is just the latest high-profile hotel chain to suffer a breach. In September, for example, The Trump Hotel Collection disclosed a similar incident, beginning in May, 2014 and running through June, 2015, that resulted in “unauthorized malware access” to computers that host the hotel’s “front desk terminals and payment card terminals in our restaurants, gift shops and other point-of-sale purchase locations at some hotels managed by the Trump Hotel Collection.” As with the Starwood incident, attackers made off with card data including payment card account number, card expiration date and security code. In some cases, card holder first and last name may also have also been pilfered.
News reports such as this exclusive by the reporter Brian Krebs have also indicated that Hilton Hotels may have experienced a breach that resulted in the theft of credit card data – an allegation that the hotel chain has not confirmed. As with the Starwood attack, those breaches targeted top Hilton hotel locations and the upscale Waldorf Astoria Hotels & Resorts as well as Embassy Suites, Doubletree, Hampton Inn and Suites.