One of the world’s largest hotel and leisure companies announced late last week that point-of-sale (PoS) systems at more than 50 of its hotels located across North America have been compromised.
Starwood Hotels & Resorts – which owns and operates a number of international brands, including St. Regis, Westin, W Hotels, Sheraton and Le Méridien – said it had recently become aware some of its systems had been infected with malware aimed at stealing customers’ credit and debit card information.
In a letter addressed to customers from Starwood president Sergio Rivera, the company said 54 hotel properties were affected by the breach, which started as early as November 2014 at certain locations and ended sometime in April or May.
Based on an ongoing investigation, the company has determined the malware affected restaurants, gift shops and other point of sale systems at the relevant Starwood properties (PDF).
“We have no indication at this time that our guest reservation or Starwood Preferred Guest membership systems were impacted,” the company noted.
“The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date.”
As of now, the company has found no evidence that other customer information, such as contact information, Social Security numbers or PINs, were also affected by the incident.
Starwood said it has been working closely with law enforcement authorities and coordinating efforts with the payment card organizations to determine additional details of the breach.
“We want you to know that the affected hotels have taken steps to secure customer payment card information, and the malware no longer presents a threat to customers using payment cards at our hotels.”
Travis Smith, a security analyst at Tripwire, told TopTechNews that the valuable data PoS systems transmit continues to make them primary targets for malicious actors.
“Point of sale device[s] typically see less change than other IT assets, but unfortunately, they are also not monitored as closely,” said Smith.
“All kinds of merchants can learn from the breaches we’ve seen over the past few years. Everyone processing credit card data should take proactive steps to harden POS devices and monitor them closely in order to defend against these kinds of attacks. This problem is going to continue for the foreseeable future,” warned Smith.
Individuals whom may have been affected are advised to check their payment card statements for unusual activity and immediately notify their bank or card issuer.
Starwood is offering free identity protection and credit monitoring services for one year to impacted customers.
The disclosure comes just days after hotel chain announced Marriott International would acquire the company in a $12.2 billion deal to create the world’s largest hotel company.