Hilton Worldwide and Starwood Hotels and Resorts are the latest companies to face cyber attacks with hackers obtaining sensitive credit card information from 54 Starwood hotels across the United States and Canada, with various Hilton hotels globally also compromised.
Among the information targeted: full credit card numbers, cardholder names, expiration dates and security/verification codes from “certain restaurants, gift shops and other point of sale systems” at Starwood and “some point-of-sale systems” at Hilton.
Hilton “immediately launched an investigation and has further strengthened its systems”, said Jim Holthouser, Hilton's EVP Global Brands, while Sergio Rivera, Starwood's President: The Americas, noted that “the malware no longer presents a threat to customers using payment cards at our hotels.”
For Starwood, the attack centred on its upscale and luxury brands with properties such as the Sheraton, Westin and W New York Times Square hotels, Westin New York Grand Central and Westin Los Angeles Airport affected, with the full list of compromised hotels and dates available from Starwood’s website.
No Starwood properties outside North America are known to have been breached by the hack attacks.
Download: List of affected Starwood properties [PDF, 198KB]
Hilton is playing its cards much closer to its chest, sharing only that “certain hotels within the Hilton Worldwide portfolio” were affected from November 18 to December 5 2014 and again between April 21 and July 27 2015, but does namecheck every one of its hotel brands as part of an FAQ on the subject.
Credit card hacks: how they happened
Guest information is believed to have been illegally targeted through the covert installation of ‘malware’ on various hotel systems, serving to harvest credit card information for a malicious third party rather than it solely being transmitted to the banks entrusted with processing each electronic payment.
The dates that each hotel’s systems were infected vary between Starwood properties, with some quickly detecting the malware and removing it the very next day while other hotels were blind to the breach and allowed it to continue for months on end.
The extent of the compromised data would potentially allow the culprit to create phoney credit cards or to purchase goods and services online, by phone or by mail without the cardholder’s knowledge.
Adoption of secure ‘chip and PIN’ payment technology in the United States significantly trails that of Australia and other countries, with Stateside merchants often swiping customers’ credit cards through their cash register system instead of a separate EFTPOS terminal.
Point-of-sale systems which rely solely on a card’s magnetic stripe are often targeted by fraudsters, as the more advanced chip and PIN terminals utilise complex encryption and verification algorithms to protect the card number, and to verify whether the card presented is the original or a duplicate.
Follow Australian Business Traveller on Twitter: we're @AusBT