Hotel Hacks Show Complex Payment Terminals Irresistible to Crooks

In a harsh reminder that hackers have found hotel point-of-sale systems to be a treasure trove, HEI Hotels & Resorts is informing its customers of a potential breach affecting their credit cards.

On its Website, HEI told customers that several of its properties may have been victims in a "security incident that could have affected the payment card information of certain individuals who used payment cards at point of sale terminals." The security breach took place at 20 HEI properties from March 2015 to June 2016, the company said. The Norwalk, Conn.-based company manages nearly 60 Starwood, Hilton, Marriott, Hyatt and InterContinental sites.

The rash of hotel breaches over the past couple of years demonstrates hotel payment hardware is complex and tough to protect because of the large amount of software-based features that are tied to the point of sale. Additionally, the growing security measures for hotels are causing confusion among users.  

The HEI breach continues what has been a difficult security stretch at Marriott and Starwood hotels. When Marriott International began efforts earlier this year to acquire Starwood Hotels and Resorts Worldwide, it was doing so not long after both chains had dealt with data breaches. It made security procedures a key element of the acquisition discussions. 

Though HEI continues to work with investigators to determine what type of attack took place, security experts have been warning major retailers and the hospitality industry that hackers are deploying a new malware strain called "multigrain" through cyber attacks at the POS, making customer data vulnerable to third parties.

In the latest incident, the HEI properties were not region-specific, as it appears the malware infiltrated POS terminals at  some locations and obtained card data as it went throughout the network. Hotels affected ranged from Florida and California to Texas, Colorado, Minnesota, Washington, D.C., Illinois, Virginia and Pennsylvania.

HEI did not provide an estimate on the number of cards potentially breached, but noted the vulnerable information included payment card data, including name, account number, card expiration date and verification code.

The hotel management company speculates that the payment card information was compromised in real time as card data was input into the hotel system. HEI does not store payment card data on its network.

HEI has told customers that it has contained the breach and that it is safe to use payment cards at all of its hotels.