Skip to content ↓ | Skip to navigation ↓

Some 20 hotels belonging to HEI Hotels & Resorts have been attacked by hackers who planted point-of-sale malware on their systems.

Chances are that many of us aren’t familiar with HEI, but that doesn’t mean that we’re not potentially at risk if the hospitality firm suffers a data breach.

And that’s because although HEI may not be a household name, its hotel brands are certainly well known around the world – Westin, Marriott, Sheraton, Hyatt, Intercontinental, Le Meridien, Renaissance…

Over the weekend HEI published a “notice of data breach” on its website, warning that it believed the payment card-pinching malware had been planted on some of its point-of-sales systems, stealing card details as purchases were made.

The breach was discovered after HEI received an alert from its card processor.

HEI Hotels & Resorts (“HEI”) recently became aware of a security incident possibly affecting the personal information of some customers who made payment card purchases at point-of-sale terminals, such as food and beverage outlets, at certain HEI managed properties. As a precaution, we are providing this notice, on behalf of our hotel property owners, to make potentially affected customers aware of the incident and call their attention to steps they can take to help protect themselves. We take the security of personal information very seriously, and sincerely apologize for any inconvenience or concern this incident may cause.

Information compromised may include card owner’s names, account numbers, expiration dates and verification codes.

Helpfully, the firm published a list of affected properties and the period of time when customers may have had their details put at risk:

Hotel list

The hackers potentially stole payment card details when malware-infected point-of-sales terminals were used between December 2015 and June 2016, although the date ranges given above show that a few of the affected locations are also thought to have been vulnerable as early as March 2015.

It’s perhaps important to realise that you didn’t even have to be a staying guest at one of the impacted hotels, you could have just been at an affected hotel meeting a friend, and bought a can of soda. Or you could have been simply visiting the restaurant, gift shop or spa when you made a purchase.

HEI has apologised for any inconvenience caused by the security incident, and published an FAQ for concerned parties – including a sensible recommendation that potential victims remain vigilant, keeping a close eye on their credit card statements for unusual transactions.

The firm says that it has learnt from the breach, and took prompt steps to remove the malware and secure systems. Payment card processing has now transitioned to a standalone system that is “completely separated” from the rest of the network. HEI says that customers can safely use payment cards at all HEI properties once again.

Regular readers will recall that one of HEI’s brands – Marriott – made the security headlines in 2015 after a security researcher discovered that customer details were being exposed through a simple web flaw. Thankfully the security team at Marriott responded quickly when informed, and fixed the vulnerability within 24 hours.

Oracle Micros PoS

The sad reality is that “hotel hacking” has become a regular headline in the last few years with many well known chains impacted by point of sale malware. Corporate victims have included Mandarin Oriental, Trump, Hilton, Rosen, Hard Rock, Omni and Starwood amongst others… and a common weak spot has been point-of-sale terminals.

Clearly point-of-sale attacks are not targeting one particular hotel chain, or even family of hotel chains. This is an industry problem that is being fuelled by hackers exploiting weakness in the third-party point-of-sales systems run on hotel premises.

This point is underlined by the realisation that as HEI was warning about security breaches on twenty of its sites, news was breaking that five PoS providers supplying hundreds of thousands of businesses in the United States had been hacked with the seeming intention of stealing retailers’ passwords and gaining access to customer payment details.

Last week Visa issued a security alert warning firms to check their Oracle MICROS PoS devices for malware or unusual network activity, and to ensure that passwords had not been compromised.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.