White Lodging Services Corp., an independent hotel-management firm, this week announced a “suspected breach” of the point-of-sale systems for the food and beverage operations in 10 hotels it manages. This incident follows a breach of the POS systems at the food and beverage locations in 14 White Lodging-managed hotels in 2013, with eight hotels hit in the first breach also compromised in the new one.
The latest incident apparently did not affect the hotels’ front-desk reservation systems. Merrillville, Ind.-based White Lodging manages 159 hotels for their owners, whose properties bear the brands of major chains such as Marriott and Starwood.
In an April 8 news release and an update on its Web site, White Lodging says it first learned of the incident on Jan. 27. That was when a credit union informed the company about suspicious activity on credit cards used at four Marriott-branded hotels managed by White Lodging.
The company then called a data-forensics company and notified the U.S. Secret Service. The ensuing investigation found malicious software on the payment terminals in the food and beverage portions of 10 hotels in seven states. Potentially compromised data include cardholder names, credit and debit card numbers, security codes and the expiration dates of cards used at the affected locations between July 3, 2014 and Feb. 6 of this year.
After the malware incident announced in early 2014, “we took various actions to prevent a recurrence, including engaging a third-party security firm to provide security technology and managed services,” Dave Sibley, White Lodging president and chief executive of its management division, said in the release. “These security measures were unable to stop the current malware occurrence on point-of-sale systems at food and beverage outlets in 10 hotels that we manage. We continue to remain committed to investing in the measures necessary to protect the personal information entrusted to us by our valuable guests. We deeply regret and apologize for this situation.”
White Lodging said the new compromise “is a separate incident and not related to the one reported in 2014.” How much fraud, if any, has occurred on cards compromised in the new incident has not been disclosed. A spokesperson says the company cannot comment beyond the news release and Web-site update.
The latest compromise affects hotels in Indiana, Michigan, Texas, Colorado, Kentucky and Pennsylvania as well as one in Chicago.
The earlier incident occurred between March 20 and Dec. 16 of 2013. While that breach mostly involved malware on food and beverage POS systems, investigators also found malware in one hotel’s reservation system.
White Lodging is offering free fraud-resolution and identity-protection services to affected cardholders.