Hotel operator warns of data breach
Attacks on point of sale systems at several upscale hotel and resort properties may have exposed card data on 3,400 customers
Computerworld - HEI Hospitality, owner and operator of upscale hotels operating under the Marriott, Sheraton, Westin and other monikers, has sent letters informing some 3,400 customers that their credit card data may have been compromised.
The warning stems from an intrusion into point of sale systems at several HEI properties earlier this year, which could have allowed card holder data being to be illegally accessed, the company said in the letter.
The intrusion could have exposed to hackers a variety of information, including credit card types, credit card numbers, expiration dates and security codes stored in the magnetic stripe on the back of each card.
The intrusions occurred between March and April, and the company sent out notification letters in August. The breach appears to have stayed largely under the media radar until it was reported this week by Databreaches.net.
A HEI spokesman today said that though the company has notified 3,400 customers, there is no indication so far that the credit card data has been misused.
A copy of the HEI letter posted on the Web site of New Hampshire's Attorney General indicates that properties in several states were impacted by the breach. Those include the Algonquin Hotel in Manhattan, five Marriott hotels and five properties in the Starwood chain operating under as Sheraton, Westin and other brands.
In each case, hackers may have accessed the payment card data between March 25 and April 17 via the compromised point of sale systems. The hackers also compromised the property management system at the Algonquin Hotel, according to the letter signed by Troy Waterman, HEI's senior vice president of finance.
HEI is offering affected customers a year's worth of credit monitoring services for free.
Attacks against point of sale systems have been an area of growing concern for the Payment Card Industry Security Standards Council, the body that administers the payment industry's PCI security rules.
The council earlier this year released new security requirements that all vendors of payment card devices are required to implement in the near-term. The requirements are designed to bolster security on retail point-of-sale card readers and include one that would enable the secure reading and encryption of sensitive cardholder data at the point where a credit or debit card is swiped.
Robert McMillan of the IDG News Service contributed to this story.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Cybercrime and Hacking White Papers | Webcasts