Denver-based Millennium Hotels & Resorts North America, and Kirkland, Wash.-based Noble House Hotels and Resorts are the latest hotel chains to suffer card-related, point-of-sale system cybersecurity incidents.
For MHR, the breach involves food and beverage systems at 14 of its U.S. hotels and less than 5,000 cards. The hotel chain said in a press release it originally received notification of the incident by the Secret Service and took immediate steps to investigate, isolate and take down the card-processing elements of the affected POS systems.
Subsequently, MHR received a warning from its third-party service provider, that it had detected and addressed malicious code in certain legacy POS systems, including those used by MHR. Millennium immediately adopted additional security measures as recommended by the third-party service provider.
The affected hotel properties are located in Anchorage, Alaska; Boston; Boulder, Colo.; New York City and Buffalo, N.Y.; Chicago; Cincinnati; Durham, N.C.; Los Angeles; Minneapolis; Nashville, Tenn.; and Scottsdale, Ariz.
The compromised systems are separate from other MHR systems, including MHR’s hotel property management and booking systems.
“We urge customers who visited our U.S. hotels between early March and the end of June this year to check their payment card records and to report dubious transactions to their card operators immediately. Shaun Treacy, President, North American for MHR, said: “Since being informed of this incident, we have taken a number of steps to ensure that this commitment is met in full.”
The company also engaged third-party cyber forensic experts to investigate the incident. To date, the investigation has not identified the presence of malware on any MHR systems.
Can your cybersecurity strategy handle an attack? On September 7, get the latest tools and techniques to prevent fraud and data breaches at our FREE Second Annual Data Breach Defense Virtual Conference on September 7. Register for the FREE online event Now!
Kirkland, Wash.-based Noble House Hotels and Resorts was notified by the Secret Service on July 13, 2016, about possible fraudulent activity on the payment card system for one of its properties, Ocean Key Resort & Spa in Key West, Fla., that could affect more than 12,000 cards.
Noble House said it promptly began an investigation and engaged a computer security firm to examine its payment system for any signs of an issue. On July 26, 2016, the computer security firm confirmed the possible compromise of Ocean Key’s system between April 26, 2016 and June 8, 2016.
The breached information involved data found in the magnetic stripe on payment cards, including card numbers, expiration dates, CVV numbers, and maybe cardholder names. “If guests used a payment card at Ocean Key during the dates listed above, we recommend that they remain vigilant to the possibility of fraud by reviewing their account statements for any unauthorized activity,” Noble House said in a website statement.
Payment card breaches are a hot-button issue with credit unions. NAFCU continues to call for lawmakers to move forward with H.R. 2205/S. 961, the “Data Security Act,” which would set national data security standards and hold merchants accountable for breaches of consumers’ sensitive and personally identifiable data.
“This is just the latest case of hotel chains being breached by what is suspected to be malware on the POS system. Hospitality companies need to understand that they are in a digital war with cybercriminals that are after payment card data,” John Christly, CISO at the Fort Lauderdale, Fla.-based cybersecurity firm Netsurion, said. He added, these hackers are winning the war far too often. Any business, regardless of size or vertical specialty, that processes payment data or offers free Wi-Fi to guests, is a lucrative breach target.
Christly said that traditional cybersecurity defenses are not cutting it anymore. “And customers of these establishments deserve the best possible security of their data, and they should expect it too.”
Ondrej Krehel, founder/CEO of the New York City-based LIFARS, a digital forensics and cybersecurity intelligence firm, noted, “The hospitality industry will continue be under pressure from cyberattacks and POS exploitation. Today’s malware is more advanced and can effectively decipher credit card data, and exfiltrate them to attacker’s online systems.
Krehel suggested the main challenge for the hospitality industry is building cybersecurity resilience. This is where there is a connection between endpoint protection behavioral based network monitoring.
Can your cybersecurity strategy handle an attack? On September 7, get the latest tools and techniques to prevent fraud and data breaches at our FREE Second Annual Data Breach Defense Virtual Conference on September 7. Register for the FREE online event Now!
