CFOs Beware: Your Payment Card Data May Have Been Stolen

Finance executives go on business travel all the time and stay in Starwood, Marriott, Hyatt and Intercontinental business hotels. If you happen to have used your credit card in 20 of these hotels in the US from March 1, 2015 to June 21, 2016, your personal information may have been stolen.

On August 12, HEI Hotels & Resorts posted a “Notice of Data Breach” on its website that reported a “security incident possibly affecting the personal information of some customer who made payment card purchases at point-of-sale terminals, such as food and beverage outlets, at certain HEI managed properties.”

“It appears that unauthorized individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems,” said HEI. The stolen information could have included name, payment card account number, card expiration date, and verification code.

HEI said its hotels do not store payment card numbers. It believes that the malware may have accessed information in real time “as it was being inputted into our systems.” It assured customers that their PIN numbers and Social Security numbers were not accessed, as HEI does not collect this information.

HEI says it has installed a new payment processing system that is not linked to other parts of the computer network.

Did you stay here?

The company enumerated the 20 US properties that it said could have been affected:

  • Boca Raton Marriott in Florida
  • Dallas Fort Worth Marriott Hotel & Golf Club in Texas
  • Equinox Resort Golf Resort & Spa in Vermont
  • Hotel Chicago Downtown in Illinois
  • Hyatt Centric Santa Barbara in California
  • Le Meriden Arlington in Virginia
  • Le Meridien San Francisco in California
  • Renaissance San Diego Downtown Hotel in California
  • Royal Palm South Beach Miami in Florida
  • San Diego Marriott La Jolla in California
  • Sheraton Music City Hotel in Tennessee
  • Sheraton Pentagon City in Virginia
  • The Hotel Minneapolis Autograph Collection in Minnesota
  • The Westin Minneapolis in Minnesota
  • The Westin Pasadena in California
  • The Westin Philadelphia in Pennsylvania
  • The Westin Snowmass Resort in Colorado
  • The Westin Washington D.C. City Center
  • Westin Fort Lauderdale in Florida

What you can do

“We recommend that customers review credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed,” HEI said.

“We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward. If they see anything they do not understand or that looks suspicious, or if they suspect that any fraudulent transactions have taken place, customers should immediately notify the issuer of the credit or debit card.”

It can happen to your company

Hotels in Asia have not reported similar data hacks, but that does not mean it cannot happen here – and to other organizations. The data breach, says Ben Gidley, Director of Technology at digital platform security company Irdeto, “demonstrates the difficulty in securing devices when spread over a wide physical network (in this case, HEI’s several hotel locations) where staff and hackers have easy access.”

“The right way to approach such devices is with a whitebox philosophy, where organizations design software to assume the hardware can and will be attacked by hackers,” says Gidley. “However, many businesses are relying on legacy hardware security which doesn’t stand up to determined attackers.”

Gidley asserted that HEI could have avoided being attacked if it had properly assessed the threats to its point-of-sale devices. Contrary to the popular impression that attacks like these require sophisticated methods, he says that in fact attackers usually employ simple means to steal information through access points that corporations have left exposed.

“All organizations with security assets to protect need to wake up and understand the world as it is,” Gidley contends. “Attackers are trying to break in and they need to design IT solutions assuming that a breach will occur.”

Suggested Articles

Some of you might have already been aware of the news that Questex—with the aim to focus on event business—will shut down permanently all media brands in Asia…

Some advice for transitioning into an advisory role

Global risks are intensifying but the collective will to tackle them appears to be lacking. Check out this report for areas of concern