Hotel operator warns of data breach
Attacks on point of sale systems at several upscale hotel and resort properties may have exposed card data on 3,400 customers
Computerworld - HEI Hospitality, owner and operator of upscale hotels operating under the Marriott, Sheraton, Westin and other monikers, has sent letters informing some 3,400 customers that their credit card data may have been compromised.
The warning stems from an intrusion into point of sale systems at several HEI properties earlier this year, which could have allowed card holder data being to be illegally accessed, the company said in the letter.
The intrusion could have exposed to hackers a variety of information, including credit card types, credit card numbers, expiration dates and security codes stored in the magnetic stripe on the back of each card.
The intrusions occurred between March and April, and the company sent out notification letters in August. The breach appears to have stayed largely under the media radar until it was reported this week by Databreaches.net.
A HEI spokesman today said that though the company has notified 3,400 customers, there is no indication so far that the credit card data has been misused.
A copy of the HEI letter posted on the Web site of New Hampshire's Attorney General indicates that properties in several states were impacted by the breach. Those include the Algonquin Hotel in Manhattan, five Marriott hotels and five properties in the Starwood chain operating under as Sheraton, Westin and other brands.
In each case, hackers may have accessed the payment card data between March 25 and April 17 via the compromised point of sale systems. The hackers also compromised the property management system at the Algonquin Hotel, according to the letter signed by Troy Waterman, HEI's senior vice president of finance.
HEI is offering affected customers a year's worth of credit monitoring services for free.
Attacks against point of sale systems have been an area of growing concern for the Payment Card Industry Security Standards Council, the body that administers the payment industry's PCI security rules.
The council earlier this year released new security requirements that all vendors of payment card devices are required to implement in the near-term. The requirements are designed to bolster security on retail point-of-sale card readers and include one that would enable the secure reading and encryption of sensitive cardholder data at the point where a credit or debit card is swiped.
Robert McMillan of the IDG News Service contributed to this story.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Live Webcast Best Practices: How to Improve Business Continuity with Virtualization VMware solutions include a range of business continuity capabilities to help ensure availability for applications across your virtualized environment. Learn More>>
- Live Webcast
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts