Digital Transactions Authoritative, insightful and timely information for payments professionals
By Jim Daly
@DTPaymentNews
Two hotel and resort chains this week reported apparent data breaches involving payment cards used at their locations. These latest compromises come less than two weeks after HEI Hotels & Resorts confirmed that malware may have captured card data from eateries or other places inside 20 of its properties.
On Thursday, Greenwood Village, Colo.-based Millennium Hotels & Resorts North America said it “has become aware of a data-security incident involving food and beverage point-of-sale systems at 14 of its hotels in the United States.” The U.S. Secret Service first informed the company of the apparent data compromise.
“Initial information suggests that the incident affected point-of-sale systems that processed customer card payments—primarily within food and beverage facilities operating at the hotels,” the company said in a news release.
The compromise occurred between early March and mid-June. Millennium, which has 14 luxury or boutique U.S. properties, isolated and then took the affected POS systems offline.
“Subsequently, MHR was notified by a third-party service provider—that supplies and services the affected point-of-sale systems—that it had detected and addressed malicious code in certain of its legacy point-of-sale systems, including those used by MHR,” the release says. “MHR immediately adopted additional security measures, as recommended by the third-party service provider.”
Millennium said the POS systems are separate from its other systems, including its property-management and booking systems. “The results from MHR’s current investigation do not indicate compromise of those other systems,” the company said.
Millennium did not say if any fraud had been confirmed, but it recommended that customers who used their cards at its properties from March to June review their card records for any suspicious activity.
On Wednesday, Kirkland, Wash.-based Noble House Hotels and Resorts reported that the Secret Service notified it July 13 “about possible fraudulent activity on the payment card system” at one of its properties, the Ocean Key Resort and Spa in Key West, Fla.
Noble House then hired a computer security firm, which on July 26 confirmed that cards used between April 26 and June 8 may have been compromised. The compromise affected card transactions at the resort itself and its dining establishments, including the Hot Tin Roof Restaurant, Sunset Pier bar, and Liquid Pool Bar, the company said in a news release. Possibly stolen were magnetic-stripe data, including card numbers, cardholder names, and card-verification values.
The company did not disclose the number of guests affected, but said it informed everyone for whom it had contact information, and that it would reimburse guests for “reasonable, documented costs” not covered by their card issuers.
Branden R. Williams, a Dallas-based independent payment-security consultant, speculates that these latest breaches could be related to the recent announcement by Oracle Corp.’s Micros unit, whose POS systems are widely used in the hospitality industry, that it had found malware on some of its legacy POS systems.
“Until we hear more from Oracle on the breach, it’s going to be difficult to really see the impact,” Williams tells Digital Transactions News by email. “In addition, hospitality can be one of the more difficult industries to deal with when it comes to payment security.” That’s because hotels often rely on external reservation systems, and traditional payment flows typically stored a card’s full primary account number [PAN] during the entire reservation period, he says.
Williams says Micros users should ensure that any remote access passwords are changed, and that they include two-factor authentication and have alerts set up for when failed login attempts occur.
These two new breach disclosures follow the data breach that Norwalk, Conn.-based HEI, which operates hotel and resort properties under the Starwood, Hilton, Marriott, and other brands, reported Aug. 12. HEI’s card processor said malware captured cardholder names, account numbers, expiration dates, and verification codes as the information was entered at restaurants, bars, spas, and gift shops. The breach happened at HEI properties in Florida, California, Colorado, Illinois, Minnesota, Pennsylvania, Tennessee, Texas, Vermont, Virginia, and Washington, D.C.
