U.S. hotel firm ‘knew of credit card breach for two weeks’ before going public

Managers at White Lodging, a hotel management firm that works with various brands including Hilton, Marriott, Westin, Sheraton and Hyatt, may have known of a major credit card data breach for two weeks before details were made public, according to reports.

NBC News’s report claims that the nine-month malware attack, which led to frauds against customers who had used terminals at 14 hotels managed by White Lodging was reported to the firm, on January 16, but that a spokesman for one of the hotel chains said that the firm did not notify them of the attack until January 31, when the breach was first reported by security blogger Brian Krebs.
The breach, reported by We Live Security, revealed names, credit card numbers and expiry dates from visitors throughout 2013, with the earliest dating back to March 23rd.

White Lodging said in an official statement, ““On January 16, 2014, White Lodging was notified that there was a suspected breach of credit/debit card data during the period March 20 – December 16, 2013 at food and beverage outlets at the following hotels:We quickly engaged a third party forensic services provider to conduct an investigation. We also notified the U.S. Secret Service and FBI.  The preliminary results of the investigation revealed malicious software and remnants of such software on a number of the point of sale terminals used at food and beverage outlets at these hotels.”

The security breach came to light after banking analysts spotted a pattern of credit card frauds centred around specific Marriott hotels at branches including Austin, Denver, Los Angeles, and Tampa, all managed by White Lodgings. The Indiana-based company manages 171 hotels across the country.

White Loding is maintaining an official page for the credit card breach including an FAQ regarding the extent of the breach, which it says largely affected customers who had used point-of-sale systems for food and beverages at 14 hotels.
It’s not clear as yet how many customer cards may have been affected, and White Lodging says that it’s not known whether the attack is connected to the recent data breaches affecting Target and other U.S. retailers.
In its most recent update, the firm writes, “Our investigation revealed that the food and beverage outlets at 14 hotels were affected.  At one of these hotels both the property management system used to process guests’ credit card data and the point of sale system at the food and beverage outlets were affected. This incident was communicated in a press release because we do not have contact information for the affected cardholders.”

“We deeply regret and apologize for this situation.  Please be assured that we take the protection of the information you entrust to use seriously and are working to prevent a recurrence in the future.  It is our intention to provide you with as much information as we reasonably can to help you understand what happened, the steps you can take to protect your credit/debit card and the steps we have taken to protect you.”

Marriott has also said that it is monitoring the situation. Spokesman Jeff Flaherty said: “We are working closely with the franchise management company as they investigate the matter. Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide.”

The attack is the latest in a growing list of financial break-ins to hit American businesses. Last week, the art and crafts retailer Michaels suffered a very similar hack, which was also stopped by credit card fraud analysts, as reported by We Live Security. Prior to that, Target and Nieman Marcus, the luxury retailer, were affected in large-scale breaches. Neiman Marcus’ breach is thought to have revealed details of more than a million customers’ cards.

U.S. Attorney General Eric Holder announced at a Senate hearing last week that a federal investigation was ongoing into this spate of attacks.
“We are committed to working to find not only the perpetrators of these sorts of data breaches, but also any individuals and groups who exploit that data via credit card fraud”, he said.