Breach, Compliance Management, Data Security, Malware, Privacy

Hilton Worldwide confirms malware on POS targeted payment card info

Thieves that planted unauthorized malware on some Hilton Worldwide point of sale (POS) systems aimed to glean payment card information in a breach that occurred late in 2014 or mid-2015, the hotel company confirmed Tuesday.

Ryan Wilk, director at NuData Security, noted that “hackers don't take vacations, and they are just as excited about your vacation as you are. Why? Because while you're enjoying yourself, they will be too when they skim your credit cards while you're there.”

That's what seems to have happened at Hilton and elsewhere. Starwood Hotels reported a similar breach earlier this month.

“This credit card breach announcement is just one of a spate of similar hacks that have occurred over the last year or so targeting hotels,” Wilk said in comments emailed to SCMagazine.com. 

In late September rumors swirled that a breach might have occurred at Hilton's POS registers in gift shops and restaurants after Visa apparently alerted financial institutions of a breach and prompted the company to issue preliminary words of caution.

But this week the hotel chain confirmed the breach. Hilton said in a statement that after discovering the incursion, which occurred either “November 18 to December 5, 2014 or April 21 to July 27, 2015,” it immediately launched an investigation that revealed “specific payment card information, including account names, payment card numbers, security codes and expiration dates, was targeted by the malware.” No addresses or personal identification numbers (PINs) appear to have been accessed, the statement said.

“While we can't know for sure what hackers long-term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits in order to maximize their efforts before moving on to the next industry,” Wilk said. “Once they get the card numbers, hackers then sell them on the Dark Web, use them directly in credit card cycling scams, or tie them to other data leaks to create full personas ripe for identity theft or fraudulent account creation, likely contributing to the overall increase in account takeovers we've seen, over 100% increase since February 2015.” 

Kevin Watson, CEO at Netsurion, in comments emailed to SCMagazine.com called news of the breach “unsettling, especially as millions of Americans are preparing to travel for the upcoming Thanksgiving holiday.”

He added, “It's a harsh reminder that no business is immune to cybercriminals, and it's especially important during the holiday season for merchants, retailers, hotels and hospitality businesses that process payment data to understand that they are lucrative targets.”

Watson underscored that it is “essential” for Hilton and others “to protect customer data and ensure that stronger security measures are in place for their networks, payment systems and on-premise Wi-Fi services.”

By prioritizing those areas now, hospitality organizations can then “ focus on the core business of providing customers with exceptional dining, lodging, event and travel experiences during the busy holiday travel period.”

Hilton urged customers who used their payment cards during that time periods in question to monitor their card statements for fraudulent activity. Hilton is offering what has become the standard one-year complimentary credit monitoring and is posting updates on details as they emerge at hiltonworldwide.com/guestupdate



Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds