The affected hotel locations are franchised and managed by a company called White Lodging Services – its portfolio includes 168 hotels in 21 states. The company said in a statement that the locations were compromised during the period of March 20 to Dec. 16, 2013, via PoS systems for food and beverage outlets on the properties.
At one property, the Radisson Star Plaza in Merrillville, Ind., the PoS and property management systems used at the front desk were also suspected of being affected. Guests at the hotel who did not use their credit card at these outlets, and guests who used room charges, weren’t exposed.
Researcher Brian Krebs first broke the news, saying that credit and debit card information on “thousands of guests throughout much of 2013” had likely been lifted. Krebs cited multiple banking-industry sources as confirming that there has been a pattern of fraud on hundreds of cards that were all previously used at specific Marriott hotels, including locations in Austin, Chicago, Denver, Los Angeles, Louisville and Tampa – locations that are all managed by White Lodging.
The hacked data may have included names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates.
White Lodging has contacted federal law enforcement officials and initiated a third-party forensic review, including a review of all other properties managed by the company.
For its part, Marriott acknowledged that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.”
It added, “They are in the midst of the investigation and are in close contact with the banks and credit cards companies. We are working closely with the franchisee as they investigate the matter. Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide. As this impacts customers of Marriott hotels we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.”