At least 20 establishments run by HEI Hotels and Resorts, including Hyatt, Marriott, Starwood and Intercontinental hotels, have been attacked by hackers using a targeted malware.
Hotels in 10 US states and the District of Columbia may have been targeted by hackers for months, operator HEI Hotels & Resorts has said. Data from customers may have been collected from early December through to late June.
At some properties, data collection may have begun as early as March 2015 at hotel locations where people bought food or drinks. The firm said that once it found out about the problem it transitioned payment card processing to a standalone system that is completely separate from the rest of its network.
It has disabled the malware and is in the process of reconfiguring various components of its network and payment systems to make them more secure.
“The latest string of point-of-sale (POS) malware attacks on retail and hospitality systems is indicative of the evolving threat environment. As attackers become more sophisticated and the stakes become higher, what we’re seeing is malware undergo professional level development cycles,” noted Ken Bechtel, Malware Research Analyst at Tenable Network Security.
“Mobile devices have become one of the largest growing threats for malware, and storing credit card data in various e-wallets, and in some cases apps, such as those used in fast service coffee shops, provides a lucrative target for profit-driven malware authors.”
Bechtel pointed out that although there are measures in place for consumers to protect their data, there are still threats that the customer cannot control.
"We often forget that the consumer is at a distinct disadvantage when dealing with POS malware, as this threat is beyond their control. While card holders can help protect their accounts by watching for skimmers, keeping their card within sight while paying bills and checking credit card statements for fraudulent activity, once a POS system is compromised there is nothing the user can do to prevent the activity,” explained Bechtel. “It’s the responsibility of the organisation to detect anomalies in credit card transactions and then take ongoing steps to prevent and remediate potential malware threats.
“Security companies are investing in next-generation cybersecurity tools to detect, prevent and remediate POS attacks and other forms of malware to help organisations detect anomalies in credit card activity and keep the network secure,” he continued.
“While not new technology, companies are realising they must treat their POS systems like other computers, including installing host protection software and monitoring the network for abnormal traffic.”