Two major hotel chains are warning customers that their payment card details may have been compromised after discovering point-of-sale (PoS) malware infections on their systems.
Millennium Hotels & Resorts (MHR) and Noble House Hotels and Resorts (NHHR) both announced the security incidents on Thursday following an alert from the U.S. Secret Service.
The hotel companies said they were notified of possible fraudulent activity and subsequently initiated an investigation, engaging third-party cyber forensic experts to examine its payment systems.
“Initial information suggests that the incident affected point-of-sale systems that processed customer card payments – primarily within food and beverage facilities operating at the hotels – between early March 2016 and mid-June 2016,” explained MHR in a press release.
According to a report by Data Breach Today, the malware impacted all 14 of the company’s U.S. hotel properties, including locations in Boston, Chicago, Los Angeles and New York.
“We believe it involved less than 5,000 cards, and while the number of affected is not as large as the numbers of reported by other, larger U.S. hotel operators, we take no comfort in that fact, as any breach is unacceptable,” Millennium spokesman Peter Krijgsman told Data Breach Today.
The Denver-based company noted that the affected food and beverage PoS systems are separate from its hotel property management and booking systems, which do not appear to have been infected.
Meanwhile, Noble House also announced a similar incident, affecting customers of its Ocean Key Resort & Spa in Key West, Florida, who stayed between April 26, 2016, to June 8, 2016.
“The incident may have affected guests who used payment cards during this time frame at Ocean Key, or at one of its onsite dining establishments,” said Noble House.
The hotel said information compromised by the attack involved customers’ names, payment card numbers, expiration dates and CVV numbers.
“At this time, it appears that 12,134 payments card may have been affected by the incident at Ocean Key Resort,” Noble House spokesman Simon Barker told Data Breach Today, adding that the company was currently in the process of sending notification letters to potentially affected guests.
“We recommend that you remain vigilant to the possibility of fraud and identity theft by reviewing your account statements for any unauthorized activity,” Noble House said.
“You should immediately report any unauthorized charges to your financial institution because the major credit card companies have rules that restrict them from requiring you to pay for fraudulent charges that are reported in a timely manner.”