Marriott, Hyatt, Starwood Hit by Major Card Data Theft

In the latest major hospitality breach, 20 hotels run by HEI Hotels and Resorts, including Hyatt, Marriott, Starwood and Intercontinental properties, have been hit with point-of-sale malware.

The attack was active March 1, 2015 through June 21, 2016, potentially affecting thousands and thousands of customers. The malware was designed to lift payment card data—including name, payment card account number, card expiration date and verification code.

HEI said that it was recently alerted to the incident by its card processor.

“Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems,” it said it a statement.

"The security of a system as a whole is as strong as the strength of its weakest link,” said Giovanni Vigna, Lastline co-founder and CTO. “That’s why complex systems that handle sensitive information should have multiple levels of protections to ensure that no device can be infected. PoS malware is particularly hard to detect because often PoS systems do not have in-host endpoint protection. In these cases, network-level protection systems become paramount."

As hotel after hotel falls to PoS malware, Philip Lieberman, president, Lieberman Software, said that clearly cybersecurity leadership is almost non-existent in the hospitality vertical.

“One could imagine that a large hospitality company could (or would) provide a centralized network operations center (NOC) and security operations center (SOC) capability, but that is not the case today,” he said via email. “There are costs of operating such facilities as well as privacy issues that would need to be addressed, but no hotel chain to date has stepped up and shown leadership in cybersecurity."

He added, “I would think great cybersecurity would be perceived as a competitive advantage given the number of customers booking online, but there is a lot of legacy thinking going on—maybe they are still expecting bookings on their Telex machine/teletype and fax, and the newfangled Internet bookings are a passing fad like the Beatles.”

Poto © 360b/

What’s Hot on Infosecurity Magazine?