Around 20 US hotels operating under the Starwood, Marriott, Hyatt and Intercontinental brands have been subject to a malware attack.
The security breach – which has affected selected properties managed by HEI Hotels and Resorts – saw malware installed on the payment processing systems at the properties, “designed to capture payment card information as it was routed through these systems”
In a statement HEI said:
“HEI Hotels & Resorts (“HEI”) recently became aware of a security incident possibly affecting the personal information of some customers who made payment card purchases at point-of-sale terminals, such as food and beverage outlets, at certain HEI managed properties.
“As a precaution, we are providing this notice, on behalf of our hotel property owners, to make potentially affected customers aware of the incident and call their attention to steps they can take to help protect themselves.
“We take the security of personal information very seriously, and sincerely apologise for any inconvenience or concern this incident may cause.”
The affected properties include the Dallas Fort Worth Marriott Hotel and Golf Club, Le Meridien San Francisco, the Renaissance San Diego Downtown Hotel, and the Westin Washington DC City Centre.
A full list of the affected hotels, along with the dates during which data may have been compromised at each property, can be seen here.
HEI said that “We believe the malware could have affected payment card data – including name, payment card account number, card expiration date, and verification code – of customers who used a payment card at point-of-sale terminals at the affected properties”.
The group said that it “took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network”.
HEI also said that it had disabled the malware, and “is in the process of re-configuring various components of our network and payment systems to enhance the security of these systems”.
It advised potentially affected customers to “review credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed”, and to “immediately notify the issuer of the credit or debit card” if they suspect any fraudulent transactions have taken place.