HEI Hotels & Resorts is warning guests who stayed at some of its properties that they might have had their payment card data stolen while making purchases at onsite restaurants, gift shops and spas.
The security breach affected 20 properties, including some Marriott, Starwood, Sheraton and Westin hotels, at various times between March 1, 2015 and June 21, 2016 according to the hotel chain. First reported to the chain by its card processor, the incident has now been contained, according to the company.
During the breach, malware on point-of-sale (PoS) terminals might have affected the payment card data of some customers, including card numbers, expiration dates and verification codes. The company is recommending that people who stayed at the affected properties closely review their credit and debit card statements for unusual activity, and immediately report any suspicious charges to their card issuers.
Forensic Investigator Called In
“HEI was recently alerted to a potential security incident by its card processor,” the company said in an online notice. “Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems.”
When it learned of the breach, HEI said it promptly notified law enforcement and hired an independent forensic expert to investigate the incident. The company also switched to a standalone payment processing system to separate PoS transactions from the rest of its network.
“Based on an independent forensic investigation, we believe that individuals were able to gain unauthorized access to certain HEI computers and may have been able to access some payment card data as it was being entered into our systems,” the company said.
HEI apologized to customers for any concerns or frustrations caused by this incident. “We have also been in contact with law enforcement and will continue to cooperate with their ongoing investigation,” HEI said.
Since being alerted to the breach, the company said it has been able to remove the malware from its system. HEI added that it is also working to strengthen data security by reconfiguring parts of its network and payment systems, and that its PoS sites are now safe for payment card transactions.
‘Tens of Thousands’ of Transactions
While HEI did not say how many customers may have been affected by the malware, Reuters reported yesterday that the breach could have revealed payment card data from “tens of thousands” of transactions.
According to an FAQ posted by the hotel chain, the organization “does not collect or maintain sufficient information to locate and contact potentially affected customers.” HEI said that guests who didn’t make PoS purchases during their stays at affected properties were not at risk of having their payment data stolen during the incident.
The affected properties include Marriott hotels in Boca Raton, Dallas and La Jolla; Le Meridien hotels in Arlington and San Francisco; Westin hotels in Fort Lauderdale, Minneapolis, Pasadena, Philadelphia, Snowmass and Washington, DC; along with other hotels in Chicago, Miami, Nashville, Santa Barbara, Tampa and Manchester Village, Vermont.
