The chain that owns Westin, Starwood, Marriott, Hyatt, Intercontinental and Le Méridien hotels – HEI Hotels & Resorts – on Friday said that point-of-sale (POS) systems at several properties had been infected with malware that could let crooks get at customers’ credit card details, including names, card account numbers, expiration dates, and verification codes.
The intruders apparently didn’t gain access to PINs, since the POS system doesn’t collect them.
In a more detailed data breach notice, HEI listed 20 affected hotels, all in the US.
HEI said the breach has now been contained and that it’s safe to use payment cards at its hotels.
In an FAQ about the incident, the company said that it doesn’t store credit or debit card information, which leads it to believe that the malware was accessing payment card information “in real-time,” as it was being input into the POS systems.
HEI said it can’t determine if any particular customer was affected.
But based on forensics, it’s looking like customers who should be keeping an eye on their card statements to look for fraudulent transactions are those who made a payment card purchase at POS terminals – such as those in restaurants, bars, spas, lobby shops and other facilities – at the affected hotels during the dates listed in a table on the FAQ.
Those dates vary between hotels, but the earliest date for the breach seems to be March 2015, and the breaches continued until as late as June 2016 for some of those properties.
Unfortunately, you can’t expect a call or an email if you’ve been affected, given that HEI doesn’t store the card details and thus can’t tell who used the cards, or when, or where.
That also means that HEI isn’t sure how many customers have been affected. As it is, some customers could have used their cards multiple times, HEI spokesman Chris Daly told Reuters.
Daly said that some 8,000 transactions occurred during the affected period at the Hyatt Centric Santa Barbara hotel in California, and about 12,800 at the IHG Intercontinental in Tampa, Florida.
The malware affected 12 Starwood hotels, six Marriott properties, one Hyatt hotel and one Intercontinental hotel.
HEI discovered the breach some time in June. It didn’t say how.
But once it did uncover the card-slurping malware, the company shifted payment card processing to a stand-alone system, completely isolated from the rest of its network.
It disabled the malware and reconfigured POS and payment card processing systems to bolster the security – again, it didn’t give details of how – and help to prevent a recurrence.
The breach follows similar POS attacks on other hotels: in December, Hyatt said that 250 hotels were drained of card details, for example.
Other chains that have been hit by POS malware include the massive Target breach of 2013, which affected some 40 million payment card details.
At the beginning of 2014, Neiman Marcus waved goodbye to an undisclosed number of payment cards.
In June 2014 P.F. Chang’s China Bistro restaurant chain began investigating a potential breach, later confirming that payment cards used in a number of its restaurants may have been compromised.
In August 2014, we saw POS malware rear its ugly head once again as Supervalu disclosed a breach. The retailer said it was investigating the potential theft of payment card data from as many as 200 of its stores.
In September 2014 we saw another huge breach as 56 million payment cards were compromised after custom malware was used to target Home Depot‘s POS systems.
Weren’t chip cards supposed to stop this?
As we’ve noted in the past, the only possible good to come from so many data breaches is the potential hastening of the death knell for the magnetic stripe credit cards so beloved in the US.
Unlike the EMV Chip and PIN cards used by much of the rest of the world, the so-called magstripe cards are especially prone to being cloned by crooks.
Security journalist Brian Krebs predicted back in July 2015 that the end of mag stripe cards may well have been nigh, given that merchants will bear the cost of fraud undertaken with counterfeit cards unless they’ve installed chip-enabled card readers:
In October 2015, merchants that have not yet installed card readers which accept more secure chip-based cards will assume responsibility for the cost of fraud from counterfeit cards.
…but the fact that we’re still hearing about POS breaches means we’ve still got a way to go.
As of February, months after that October 2015 deadline, only 37% of US retailers were ready to process chip-embedded credit and debit cards.
Here’s a representative comment submitted to a survey of retailers, as quoted by Ars Technica:
This has been a major pain in the a$$. Terminal manufacturers weren’t ready, the processors and certification people weren’t ready; we spend more of our own $$ to clean up their mess.
What to do?
For retailers: Beyond the hassle of installing the new card readers, you might also want to read our 6 tips for keeping your data safe and revisit your incident response plans.
For hotel patrons: Review your credit and debit card account statements as soon as possible in order to sniff out any bogus charges. See something fishy? Call the company that issued the card immediately.
For everyone with a network: Consider dividing up your network so that crooks who invade one part of it can’t roam around at will and implant malware on cash registers and other customer-facing computers. HEI separated off its payment computers after this breach, but doing it proactively is a much better plan!
By the way, even though taxpayer IDs weren’t included in the HEI breach, the company’s prepared a reference guide to identity theft protection that describes what steps customers can take to help protect themselves, including recommendations from the Federal Trade Commission regarding identity theft protection.
LEARN MORE ABOUT DIVIDING UP YOUR NETWORK
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
Tom James (@Kiytan)
as someone from the UK, it seems strange that the USA hasn’t adopted chip&pin yet, as it’s been the standard here for a decade or so.
Paul Ducklin
The US has adopted chip cards, or is supposed to have done, as noted above. Apparently there was pushback about having PINs, howeer, so the compromise was “chip and sign”, which sounds ridiculous except that the main problem with checking signatures seems to be that no one bothers (a part of the protocol that PIN entry avoids). Nevertheless, the chip part of each card is much, much harder to clone. So far so good.
I hope I have this part right – correct me if not – but it seems that the incentive needed to accelerate the acceptance and real-world use of chip cards in the USA (and to encourage people to bother upgrading before their current stripe-only card runs out) is missing.
IIRC, merchants who use old-school card processing equipment bear all liability for fraud, while those who switch to chip-capable PoS devices don’t. So far so good.
Except that if you run the magstripe of a chip-capable card through the magstripe reader of a chip-capable PoS device, you get the same liability protection as running the chip through the chip reader. So even in chip-ready point-of-sale devices, magstripe use is still the norm, and there is no liability-based incentive to switch. I have even heard stories of merchants taping over the chip-reader slot, allegedly to “encourage” purchasers to pay in the old way…apparently it’s slightly faster and that means happier customers.
Backward compatibility. Heigh ho.
Bryan
As a USA-ian I can confirm much of this. I don’t know about the magstripe use of chip-capable gear, but…
– my ‘other’ bank could not offer me a PIN longer than 4 digits :-(
– last year our facility’s banquet hall had me on high alert watching new CC readers plug in and phone home (abracadabra)
– I’ve noticed any scribble can authorize a transaction and even have heard of smiley faces doing so
– the chip transactions to seem to take slightly longer, maybe ten, fifteen seconds
– we Americans are notorious for cramming schedules too full and being impatient–albeit not that I contrast much with that
– aside learning security principles (i.e. here at NS) I’ve seen nothing to encourage my own card upgrade
To exacerbate the last point… I memorize all my CC numbers. Depending on use it takes a week or so but routinely proves itself extremely handy. My bank just today texted me that they’ve sent a new card (xxx-xxx-1234, a new card number) to supplant the one which expires 2017/11. I’ll need to memorize a new card now and will activate it for the security benefits I know it brings, but were I not a Junior Proselytizer I’d fight them until next November.
Bryan
I never saw a chip card until maybe 18 months ago. We can be a stubborn lot–we’ve toyed with and neglected the metric system for 50 years now.
Then again… using it now would certainly make that old Proclaimers song difficult to sing:
And I would walk 804.672 kilometers
And I would walk 804.672 more
Just to be the man who walks 1609.34 kilometers
To fall down at your door
Bah, you Euros can keep your changes for another deca-year.
Paul Ducklin
All systems of measurements are “metric systems” :-) The US is a holdout against using the SI system…
The UK, happily, went SI around the time of the millennium (I saw a TV quiz show the other day where a guy in his mid thirties wasn’t 100% sure that there were 12 inches in a foot, which I thought was a delightful sign of scientific and engineering progress).
But there is an annoying exemption for signposted speeds and distances, leading to the absurdity that the distance *markers* on public roads are in kilometres (the highway agency marker posts every 100m or 200m) while the signs for drivers are in miles.
Of course, the US doesn’t use the Imperial system either (thus your tons and pints are different from what they used to be in the UK and its former empire).
And you guys don’t use the ABC paper sizing system. Even the UK adopted that, more than 50 years ago. (The system where A0 is a sheet of one square metre in the ratio 1 to root(2), and where you get the next size down by the brilliant expedient of folding the current sheet in half.)
But I digress.
Bryan
All systems of measurements are “metric systems” :-) The US is a holdout against using the SI system
hahah, a valid point my friend. Ah, how the nomenclature gets us every time. Dang you Paul, you’ve given me another oddity to eschew the word “metric”–because of course I will. I already elicit strange looks when I say “lectern”–everyone else thinks it’s a podium. Although I will mention I assumed “metric” stemmed from the word “meter” as in the unit of length and not as in the practice.
I’m not a complete holdout however; at least I don’t still use the term “Indian” if I mean “Native American” (when I was a kid no one had heard that phrase). Nor do I ever measure anything in hogsheads or bushels. And of course I’m the only one in my building to use the word lectern.
It’s absurdly reassuring to know other places still suffer inconsistencies. Early 2002 found me in London wandering (har) about road signs: “wait, I thought Brits are [SI], but that said miles.”
We have far too many obstinate owners of 8 1/2 x 11 paper for the other system to ever catch on here. I know someone wise who once said, backward compatibility. Heigh ho.
Steve
Institute a “swipe tax” and things should start to turn around. That approach worked rather well a couple of dozen decades ago… not too many tea drinkers here in the USA! ;-)