Nashville Hotel Suffered POS Breach for Three YearsAs Cybercriminals Seek Payment Card Data, Hutton Hotel Is the Latest Victim
The string of cyberattacks striking point-of-sale systems at hotels continues unabated, as a Nashville, Tenn.-based hotel says POS malware compromised its customers' payment card details for more than three years.
The disclosure underscores the continuing problems facing merchants as they attempt to keep their payment card transactions secure. Cyberattackers are still finding low-hanging fruit and have stepped up their attacks to include the networks of POS vendors, which make the hardware and software used for processing card transactions (see 1,000 Businesses Hit By POS Malware).
The latest victim is Hutton Hotel, an upscale, 247-room facility in Nashville owned by Carey Watermark Investors. Hutton Hotel's payment processor notified it of a possible breach.
"Findings from the investigation show that unknown individuals were able to install a program on the payment processing system at the Hutton Hotel designed to capture payment card data as it was routed through the system," according to its Sept. 2 breach notification.
POS malware targets processing points inside payment systems where card data may be unencrypted, such as the moment when a card gets swiped, but before it gets stored. Such attacks have proved successful despite many retailers implementing the Payment Card Industry Data Security Standard. Card issuers require all businesses that handle cardholder information to comply with PCI-DSS.
Unusually Long Breach
Hutton Hotel says the breach included the names, payment card numbers, expiration dates and the verification codes for people who paid for or placed reservations with the hotel from Sept. 19, 2012, through April 16, 2015. Also affected are people who used onsite food and beverage outlets from Sept. 19, 2012, through Jan. 15, 2015, and from Aug. 12, 2015, through June 10.
While many hotels have acknowledged payment card breaches, few have had such long exposure times as that of Hutton Hotel. It suggests that despite a nearly non-ending stream of warnings of large-scale breaches, some hotels are still being caught off guard.
Hutton Hotel says it has put in place new security measures and is now using "stand-alone payment processing devices" although it didn't explain how that helps. Law enforcement has been notified, and the hotel is working with payment card companies to identify those affected.
"For those guests that we can identify as having used their payment card during the at-risk window and for whom we have a mailing or email address, we will be mailing a letter or sending an email to them," it said.
Hutton Hotel officials couldn't immediately be reached for comment.
Systemic POS Problem?
Hutton Hotel's breach shares a link with other recent breaches. It is managed by HEI Hotels & Resorts, which said on Aug. 15 that a POS malware strike compromised 20 hotels.
HEI also manages hotels belonging to InterContinental Hotels Group. On Aug. 31, one chain owned by InterContinental Hotels Group, Kimpton Hotels & Restaurants, warned of a breach. Kimpton, which has 62 properties in about 30 U.S. cities, said names and payment card data may have been leaked by POS malware over a nearly five-month period (see Kimpton Hotels Hit by Card Breach).
The raft of hotel breaches comes as POS vendors are also being directly attacked. Oracle warned in August that malware had been planted in a support portal that's used for servicing and maintaining MICROS POS systems. MICROS is one of the mostly widely used POS systems, with 330,000 customers in 180 countries (see MICROS Breach: What Happened?).
Smaller POS vendors have been hit as well, including Cin7, ECRS, NavyZebra, PAR Technology and Uniwell. Those attacks were discovered by Alex Holden, CISO for Hold Security, which tracks the underground trade in stolen data.
Those breaches follow a similar spate of POS malware infections at hotel chains in recent months that have affected Hilton, Hyatt, Omni Hotels & Resorts, Starwood Hotels and Resorts and Trump Hotels, among others.
Noble Breach Worse Than Suspected
On Aug. 24, meanwhile, Noble House Hotels and Resorts warned that one of its properties - Ocean Key Resort & Spa in Key West, Fla. - had been infected by POS malware from April 26 to June 8, and that anyone who used the hotel, including its restaurant and bars, may have had their payment card details stolen.
On Sept. 2, however, Noble released an updated breach notification warning that 10 of its hotels or independent restaurants suffered a POS malware breach that lasted from around April 25 up to August 5. The properties range from the Kona Kai Resort & Spa in San Diego and the Edgewater hotel in Seattle to the Blue Mermaid restaurant in San Francisco and the LaPlaya Beach & Golf Resort in Naples, Fla.
Anyone who used a payment card at the affected properties during the breach window may have had their name, card numbers, expiration numbers and CVV numbers stolen.
Executive Editor Mathew Schwartz contributed to this story.