Sources at multiple financial institutions say they have detected a pattern of fraudulent activity on customer cards that were used at Hilton Hotel properties between mid-April and late July 2015.
The apparent breach—the numbers affected are not yet known—includes the company’s flagship Hilton locations, and brands Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts across the United States.
Independent security researcher Brian Krebs, who reported the situation, said that Visa originally picked up on the fraud, and after further investigation with five different banks, it was determined that the commonality in all of the transactions was the Hilton (and related properties) location.
For its part, Hilton has issued a statement to media:
“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” the company said. “We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”
It appears that the guest reservation system was not compromised—rather, the fraud stems from hacked point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties.
“Hackers use different attack vectors to exploit businesses, and many recent breaches have involved malware that, once installed, exfiltrates sensitive data,” said managed security expert Kevin Watson, CEO of Netsurion, a Houston-based security firm, in an email. “There’s no silver-bullet strategy to defend against every threat. However, a strong line of defense is making sure that data doesn’t leave the network without the admin’s knowledge and if data is sent out, it only goes to verified Internet addresses.”
He advised, “Security must be layered with a properly managed firewall, data encryption, network segmentation, passwords and access controls, software updates and anti-virus/anti-malware software,” advised Watson. “Along with protecting incoming traffic and preventing access by malicious actors, it’s critical to limit outbound Internet traffic as well.”
This is the latest in a string of hotel heists, including breaches at Mandarin Oriental properties, Hard Rock Las Vegas and others.