TechSpot

Multiple hotel chains hit with payment card-stealing malware

By Shawn Knight
Aug 15, 2016
Post New Reply
  1. Hotel operator HEI Hotels & Resorts has revealed that several of its properties may have recently fallen victim to a security breach involving its point-of-sale (POS) terminals (the kind used in gift shops, restaurants and so forth).

    An extensive forensics investigation found malicious software on its payment processing systems that was designed to steal payment card information. Data potentially at risk includes user names, account numbers, card expiration dates and verification codes.

    HEI says that 20 of its various locations were hit including Marriott, Hyatt, Le Meridien, Intercontinental, Sheraton and Westin brands. The full list of properties, their addresses and dates affected can be found by clicking here.

    The company said it has since removed the malware and is in the process of reconfiguring various components of its network and payment systems to enhance its overall security. HEI has law enforcement involved and is working with banks and payment card companies on the matter, adding that customers can once again safely use payment cards at all of its properties.

    Those who may be impacted by the breach are encouraged to review credit and debit card account statements to look for unusual activity. If something suspicious is found, users should contact their card issuer immediately to resolve the matter. HEI has also published an “Information About Identity Theft Protection” reference guide to further educate users about identity theft.

    Image courtesy Brian A Jackson, Shutterstock

    Permalink to story.

     
  2. Uncle Al

    Uncle Al TS Evangelist Posts: 1,675   +779

    Oh good .... they didn't hit the "Po Boys Trailer Park" so I'm safe!
     
  3. Satish Mallya

    Satish Mallya TS Addict Posts: 125   +92

    Malware: shedding new light on what the 'PoS' in 'PoS terminal' stands for.
     
  4. seefizzle

    seefizzle TS Addict Posts: 278   +142

    At what point do you blame the companies that got breached? It's not like companies are clueless that breaches can happen. All they have to do is look at the dozens of major corporations that have been hacked in the last 10 years as examples. At a certain point it's the store's fault for not securing their networks.
     
  5. Hexic

    Hexic TS Addict Posts: 283   +132

    As far as legalities are concerned, in the world of information/data security, as long as the company was determined and had made a legitimate, earnest effort to keep it's data protected (up to date patches, decent system security checks/processes, etc) - then the company can't be blamed for negligence. Hacks happen all of the time unfortunately, and it's impossible to stop all of them.
     
  6. MonsterZero

    MonsterZero TS Addict Posts: 229   +89

    20 credit cards later?
     
  7. seefizzle

    seefizzle TS Addict Posts: 278   +142

    You're off the mark quite a bit. Retailers have to follow a litany of different rules stated by the Payment Card Industry. There have been many versions of the rules that retailers have to follow. These versions of the rule sets are often referred to as "PCI 3" or "PCI 3.2". This isn't a loose sort of suggestion. This is a set of standards that the credit card processors and credit card brands set forth that merchants MUST meet in order to process credit cards at their location. The rules list is long and quite detailed. To the point where if you process credit cards, your server must be in a locked office with a video camera pointed at it. These rules are taken pretty seriously.

    That said, enforcement of these rules has been pretty lax. The credit card processors say that retailers need to follow the rules but they never actually pull the plug on retailer's and actually stop them from processing. This almost never happens.

    What we've ended up with over the years is massive swaths of businesses out there that haven't kept up with the security protocols to any degree. Security costs money. Having a company come in and set up firewalls and apply security patches and upgrade software costs tens of thousands of dollars and up until this point businesses just don't do the upgrades. Business owners are notoriously cheap and really don't give a hoot about the security of their customer's credit card information. This is plain and simple.

    Now however with the switch over to chip based transactions, the credit card companies are putting the screws to retailers to upgrade their systems and hundreds of thousands of businesses across the country are scrambling to upgrade their systems to accept chip payments. They're only doing this because the credit card processors are forcing the liability of fraudulent transactions to the merchant. If someone comes into a store and swipes their card for 500 bucks, then calls the bank and says they didn't do that transaction, the credit card companies are literally taking that money from the retailer. If the card was swiped instead of using chip, the merchant is now responsible for that charge back. Previously the card brands ate the loss.

    Since they started doing this, more businesses started paying attention to their security. Not because they give a crap about your card security, it's because they care about their bottom line.

    The point that I was making is that there have been tons and tons and tons of breaches. It's not like these companies are unaware of what they need to do to secure their systems. Any big company has probably had quotes for security upgrades given to them yearly by competent point of sale companies and simply refused to go through with the upgrades. For example, prior to being hacked, Home Depot executives were presented with their woeful security flaws and prompted to upgrade their network security. The response from the executives was "We sell hammers". Seriously. Home Depot literally just didn't care.

    At a certain point you have to look at these businesses and business owners. Typically a business decision has been made to not spend the money on security. I feel like maybe the fingers should point to the source of the incompetency.

    Source: Me. I've worked in the pos industry for 10 years.
     
  8. Hexic

    Hexic TS Addict Posts: 283   +132

    I completely agree - what I was referring to were the companies that had accepted their own systems for the way they were, and had gone through the legitimate steps to mitigate the potential of a breach happening.

    I'm referring to liability after responsible precautions have been taken.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...