Today we learned that two separate hotel chains are warning their customers that they have suffered point-of-sale malware infections that compromised customers’ payment card data. Both chains say they were alerted to related card fraud by the U.S. Secret Service and that they’re now assisting law enforcement agencies in their investigations.
The first chain is Millennium Hotels & Resorts North America, which is based in Denver. They state that they were subjects of a malware infection which lasted more than three months resulted in a breach of card data from “food and beverage POS systems” at all 14 of its U.S. hotels. Here is a link to the Millennium Hotels Breach Notice.
In a separate incident, Noble House Hotels and Resorts, based in Kirkland, Wash., has warned that systems at Ocean Key Resort & Spa in Key West, Fla., was infected by POS malware April 26 to June 8 of this year.
Noble House says anyone who used a payment card at the hotel during that time – including at its restaurant and bars – may have had their card data compromised.
The Ocean Key breach follows a 2015 breach at another of their properties, The Commons, a hotel located in Minneapolis. Noble said that a POS malware infection at that hotel from January to August 2015 resulted in the suspected theft of 19,000 payment cards.
In the case of this latest Noble hotel breach, spokesman Simon Barker said that the hotel chain had hired FireEye’s Mandiant incident response firm to investigate.
“At this time, it appears that 12,134 payment cards may have been affected by the incident at Ocean Key Resort,” Barker stated. “We are in the process of sending notification letters to the guests for whom we have names and contact information. Legal notices have been placed in newspapers and a press release distributed nationally.” The company says it’s also working with payment card issuers to help them directly notify affected cardholders as well as institute heightened fraud monitoring.
Here is a link to the Noble House Hotels and Resorts Data Breach Notice.
In both POS exploit cases, attackers may have compromised the cardholders’ names, payment card numbers, expiration dates and CVV numbers.
The simultaneous timing of the two breach alerts, and given the fact that both hotel chains learned about the breaches from the Secret Service, suggests that the same cybercrime group may have been responsible for both breaches.
In separate news, but related to hotels and credit card security, we also learned that the hotel chain Silverland Hotel & Spas, which operates five hotels in Vietnam’s popular destination Ho Chi Minh City, formerly known as Saigon, left a database online with no password (or other protection), according to the researchers, who work for the MacKeeper Security Research Team.
Some of the data on display included customers’ IP addresses, booking status, flight information (flight number, arrival and departure time), detailed guest information (name, age, gender, phone, email address), and detailed credit card information (card type, number, name on card, expiration date and CVV). The MacKeeper researchers provided details in a blog post published on Tuesday. Disclosure was made responsibly, only after the hotel finally secured the database.