It looks like nobody is safe from malware anymore, even when people are on vacation. HEI Hotels & Resorts, which operates high-end hotels like the Marriott, Intercontinental, Hilton and others, announced that 20 of its hotels have had their payment systems breached.
According to a report from Reuters, this breach is just the latest in a series of cyber-attacks targeting hotels around the world. HEI explained, via their spokesperson, that malware had been discovered on their systems, which may have stolen sensitive customer data. Among the hotels affected by the breach are Westin properties in Minneapolis, Pasadena, Philadelphia, and Washington D.C. Also affected are Starwood locations in Arlington, San Francisco and Nashville as well as Marriott hotels in Chicago, San Diego, and Minneapolis. However, this is not an exhaustive list. In total, 12 Starwood, six Marriott International, one Hyatt and one InterContinental hotels were affected.
The malware operated between March 2015 and June 2016. That’s over a year’s worth of transactions, credit card details, names and personal info that was collected from the hotels’ patrons. The only important details that seem to have remained safe are payment card PIN codes, because the hotels’ systems didn’t collect those.
Interestingly enough, a number of Starwood properties, managed by Starwood Hotels & Resorts Worldwide, had been the victims of the same type of attack back in November of 2015. At the time, in a statement mirroring the one from HEI from yesterday, company representatives said: "the affected hotels have taken steps to secure customer payment card information and the malware no longer presents a threat to customers using payment cards at Starwood hotels". But this latest report clearly states that 14 out of the 20 infected HEI hotels were breached after December 2nd 2015. It seems like the earlier lesson wasn't taken to heart by all hotels or that the new security measures were inadequate.
The company affected by the latest breach, HEI Hotels & Resorts, did not comment further except to say that it had informed federal authorities and replaced its payment processing system. Unfortunately, the damage is already done so if you think you might have been affected, keep a close eye on your bank account and credit card activity.