Starwood Hotels & Resorts Worldwide today warned that malware designed to help cyber thieves steal credit and debit card data was found on point-of-sale cash registers at some of the company’s hotels in North America. The disclosure makes Starwood just the latest in a recent string of hotel chains to acknowledge credit card breach investigations, and comes days after the company announced its acquisition by Marriott International.
Starwood published a list (PDF) of more than 50 of its hotel properties — mostly Sheraton and Westin locations across the United States and Canada — that were impacted by the breach. According to that list, the breach started as early as November 2014 in some locations, ending sometime in April or May for all affected hotels.
As with other ongoing hotel breaches, the malware that hit Starwood properties affected certain restaurants, gift shops and other point of sale systems at the relevant Starwood properties.
“We have no indication at this time that our guest reservation or Starwood Preferred Guest membership systems were impacted,” Starwood President Sergio Rivera wrote in a letter to affected customers. “The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date. There is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue.”
Starwood joins several other major hotel brands in announcing a malware-driven credit card data breach. In October 2015, The Trump Hotel Collection confirmed a report first published by KrebsOnSecurity in June about a possible card breach at the luxury hotel chain.
On Sept. 25, this author first reported that the Hilton Hotel chain is investigating reports of a pattern of card fraud traced back to some of its properties. Bank sources said the fraud pattern they’re seeing all traces back to restaurants and gift shops at various Hilton locations. The company hasn’t commented further beyond its initial statement in September that it was looking into the matter.
In March, upscale hotel chain Mandarin Oriental acknowledged a similar breach. The following month, hotel franchising firm White Lodging acknowledged that — for the second time in 12 months — card processing systems at several of its locations were breached by hackers. Each time, the breach was traced back to point of sale systems at food and beverage outlets inside the White Lodging properties.
Readers should remember that they are not liable for unauthorized debit or credit card charges, but with one big caveat: the onus is on the cardholder to spot and report any unauthorized charges. Keep a close eye on your monthly statements and report any bogus activity immediately. Many card issuers now let customers receive text alerts for each card purchase and/or for any account changes. Take a moment to review the notification options available to you from your bank or card issuer.
Source: Krebs