Hilton Hotels Admits POS Data Breach

Hotel giant Hilton Worldwide has admitted that Point of Sale malware on some of its systems has exposed an unidentified number of customers to payment card data theft.

The notice comes over two months after journalist Brian Krebs claimed hackers may have compromised registers in gift shops and restaurants at a “large number” of Hilton properties.

The Hilton portfolio covers over 4,000 properties in more than 90 countries worldwide including Waldorf Astoria Hotels & Resorts, Conrad Hotels & Resorts, Curio - A Collection by Hilton, DoubleTree by Hilton, Embassy Suites by Hilton, Hilton Garden Inn, Hampton by Hilton, Homewood Suites by Hilton, Home2 Suites by Hilton and Hilton Grand Vacations.

The firm had the following in an FAQ on its site:

“While we cannot address the actual number of cards impacted, as a precautionary measure, customers may wish to review and monitor their payment card statements if they used a payment card at a Hilton Worldwide hotel over a seventeen week period, from November 18 to December 5, 2014 or April 21 to July 27, 2015.”

Although addresses, personal identification numbers (PINs) and Hilton HHonors account information weren’t taken, hackers may have accessed cardholder names, payment card numbers, security codes and expiration dates—enough to commit payment fraud.

The hotel chain said it had “taken action to eradicate unauthorized malware” and claimed it had also “further strengthened its systems,” but didn’t give specifics.

Justin Harvey, CSO at Fidelis Cybersecurity argued that POS systems have been a target for hackers for years.

“For this reason, Hilton Hotels should have been hunting and profiling its POS endpoints for malware, to stop the attackers in their tracks. Often breaches such as this occur due to an over reliance on ‘tactical’ threat intelligence, which is generated by machines and doesn’t properly investigate vulnerabilities or suspicious behavior,” he added. 

“As the amount of data increases exponentially, the perimeter erodes and cloud usage ramps up, investment needs to be shifted to ‘strategic’ intelligence services, where experts analyse threats and draw conclusions about a threat group. Only then can companies correlate trends and common traits of attacks, to inform a long-term prevention strategy.”

Hilton is by no means the only hotel chain to have been caught out by hackers recently. Trump Hotels, Starwood and the Mandarin Oriental Hotel Group have all suffered breaches.

Photo © Milosz_M/Shutterstock.com

What’s Hot on Infosecurity Magazine?