Rosen Hotel chain was hit by credit-card stealing malware for 17 months

Did you visit a Rosen Hotels & Resorts property between September 2014 and February 2016? If so, there's a chance that your credit card details may be in the hands of a criminal gang. Rosen Hotels has published a statement on its website, revealing that it is the latest in a long line of hotel chains and retailers to have suffered at the hands of hackers who planted malware on payment card processing systems. Unfortunately the presence of the payment-card stealing malware went undetected for almost a year-and-a-half. It was only when some hotel guests began to notice unauthorised charges on their cards after staying at Rosen properties that suspicions rose in early February that the hotel chain was the common factor. But, to give Rosen credit, it does appear that their security team began to investigate promptly after realising there was a potential issue - although the attackers appear to have been able to continue siphoning data out of the company for a further two weeks before the door was finally shut on them. Part of the statement reads as follows:

We received unconfirmed reports on February 3, 2016 of a pattern of unauthorized charges occurring on payment cards after they had been used by some of our guests during their stay. We immediately initiated an investigation into these reports and hired a leading cyber security firm to examine our payment card processing system. Findings from the investigation show that an unauthorized person installed malware in RH&R’s payment card network that searched for data read from the magnetic stripe of payment cards as it was routed through the affected systems. In some instances the malware identified payment card data that included cardholder name, card number, expiration date, and internal verification code. In other instances the malware only found payment card data that did not include cardholder name. No other customer information was involved. Cards used at RH&R between September 2, 2014 and February 18, 2016 may have been affected.

"Together with our cyber security firm, we have worked tirelessly to contain and address the incident. Additional, enhanced security measures have been implemented to help prevent this from happening again," said Frank Santos, Vice President and Chief Financial Officer of Rosen Hotels & Resorts. "We regret the inconvenience and concern this news may cause our customers." Rosen Hotels says that it will contacting affected customers when they can ascertain the victim's email or mailing address. But chances are that there are many people who visited the hotel and made card purchases without sharing their address or email details at the same time. The company has established a dedicated helpline – (855) 907-3214 – for guests who have questions about the security incident. Rosen Hotels are just the latest in a long line of hotel chains to have had their customers' data stolen by criminal hackers. Other corporate victims have included include Mandarin Oriental, Trump, Hilton, Marriott, Sheraton and Westin. It would be a brave man who would bet that this is the last we will see of hackers targeting the payment card processing systems of well-known hotels and retailers. While we all hope that security systems are hardened to make the job of hackers more difficult, we must all remain vigilant, and keep a close eye on our credit card statements for unusual activity, and contact our card issuer immediately if we suspect an unauthorised charge has been made. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.