US chain Rosen Hotels & Resorts looks like the latest hotel firm to suffer a major data breach after failing to spot an unauthorized cyber intrusion for over 17 months.
In a lengthy statement on the matter the firm claimed it began receiving reports in early February from guests who saw unauthorized charges on their cards after staying in one of the chain’s hotels.
A cybersecurity firm hired to investigate found evidence of foul play.
The statement continued:
“Findings from the investigation show that an unauthorized person installed malware in RH&R’s payment card network that searched for data read from the magnetic stripe of payment cards as it was routed through the affected systems. In some instances the malware identified payment card data that included cardholder name, card number, expiration date, and internal verification code. In other instances the malware only found payment card data that did not include cardholder name. No other customer information was involved. Cards used at RH&R between September 2, 2014 and February 18, 2016 may have been affected.”
Rosen Hotels & Resorts said it would be emailing or sending a letter to affected guests for whom it has a name and contact details, but it warned everyone who has stayed at one of the firm’s hotels over the affected period to be vigilant.
“You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner,” it said.
There’s a dedicated helpline for customers who think they may have suffered identity theft as a result of the breach, and the hotel chain claimed they can order a free annual credit report from three nationwide specialist companies: Experian, Equifax and TransUnion.
Rosen is by no means the first hotel chain to be hit by a data breach of this kind.
Kane Hardy, VP of EMEA at Hexis Cyber Solutions, argued that hotels are an obvious target given the wealth of personal information they hold on guests.
“In addition, the very nature of hotels means that there are a variety of different devices connecting to internet services and networks. As history has shown us then as the number of endpoints increases, so does the risk of attack,” he added.
“In the hotel industry, reliance on traditional perimeter security is not enough. It is becoming critical for organizations to be able to persistently correlate threat intelligence from within networks to actively respond and eliminate these security issues.”
"By taking a next generation approach to integrated network and endpoint threat verification with automated persistent response, hotel groups can better mitigate threats before data loss occurs. This approach can be effective in protecting data, even if the network is compromised.”