Hotel operator warns of data breach

Attacks on point of sale systems at several upscale hotel and resort properties may have exposed card data on 3,400 customers

HEI Hospitality, owner and operator of upscale hotels operating under the Marriott, Sheraton, Westin and other monikers, has sent letters informing some 3,400 customers that their credit card data may have been compromised.

The warning stems from an intrusion into point of sale systems at several HEI properties earlier this year, which could have allowed card holder data being to be illegally accessed, the company said in the letter.

The intrusion could have exposed to hackers a variety of information, including credit card types, credit card numbers, expiration dates and security codes stored in the magnetic stripe on the back of each card.

The intrusions occurred between March and April, and the company sent out notification letters in August. The breach appears to have stayed largely under the media radar until it was reported this week by

A HEI spokesman today said that though the company has notified 3,400 customers, there is no indication so far that the credit card data has been misused.

A copy of the HEI letter posted on the Web site of New Hampshire's Attorney General indicates that properties in several states were impacted by the breach. Those include the Algonquin Hotel in Manhattan, five Marriott hotels and five properties in the Starwood chain operating under as Sheraton, Westin and other brands.

In each case, hackers may have accessed the payment card data between March 25 and April 17 via the compromised point of sale systems. The hackers also compromised the property management system at the Algonquin Hotel, according to the letter signed by Troy Waterman, HEI's senior vice president of finance.

HEI is offering affected customers a year's worth of credit monitoring services for free.

Attacks against point of sale systems have been an area of growing concern for the Payment Card Industry Security Standards Council, the body that administers the payment industry's PCI security rules.

The council earlier this year released new security requirements that all vendors of payment card devices are required to implement in the near-term. The requirements are designed to bolster security on retail point-of-sale card readers and include one that would enable the secure reading and encryption of sensitive cardholder data at the point where a credit or debit card is swiped.

Robert McMillan of the IDG News Service contributed to this story.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon