A payment card data breach has been uncovered at Starwood Hotels, involving at least 54 locations.
Details are for now scant, but the hotel chain said that the culprit was malware installed on point of sale (PoS) systems in restaurants, gift shops and other ancillary systems. So far, there is no indication that the guest reservation or Starwood Preferred Guest membership systems were impacted.
The access occurred at varying times per location, but the earliest infiltration began in early November last year—and all of the issues ended in April of this year.
“The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date,” the company said in an open letter. “There is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue.”
While we wait for more information, what’s the takeaway? Unfortunately, these kinds of breaches are with us for the duration, it would appear. Consumers must remain vigilant in how they manage their credit cards and other personal information. One way to do that is to reduce the credit card “attack surface” by using only one major credit card.
“In today’s interconnected world, there is no place to hide,” said Lane Thames, security researcher at Tripwire. “If a company has any type of payment-processing system, then rest assured someone, somewhere, has or will eventually try to find a way to break in to steal valuable payment-related information. Merchants and consumers all need to understand this because no one is immune from the vast infestation of malware and malicious actors roaming around the Internet these days—and it won't be changing for the better for the near future.”
On top of that, Mark Bower, global director of product management for enterprise data security for HPE Security, said that hospitality service providers face extraordinary challenges with customer data security at PoS.
“Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in,” he explained in an emailed comment. “Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information.”
No specific malware has been associated with the Starwood breach yet.