Millennium Hotels & Resorts North America (MHR) informed customers on Thursday that it’s investigating a possible breach involving the point-of-sale (PoS) systems at over a dozen of its locations in the United States.
The company has hired a third-party forensics company to investigate the incident, but no malware has been found to date on any MHR systems. The information received by the hotel chain suggested that the systems processing customer payment cards, particularly at food and beverage facilities, may have been compromised between early March and mid-June.
MHR was first notified by the U.S. Secret Service and later by a third-party service provider that supplies and services the affected PoS systems. The service provider in question said it had “detected and addressed malicious code in certain of its legacy point of sale systems, including those used by MHR.”
This sounds like the third-party vendor could be Oracle-owner MICROS, which advised customers earlier this month to change their passwords after it detected malicious code on some legacy systems. MICROS was reportedly breached by a cybercrime group that targeted at least five other PoS vendors.
SecurityWeek has reached out to MHR to learn if the incident it’s investigating is related to the MICROS breach. The company says the third party is a significant supplier of PoS systems in the hotel industry, but has refused to disclose its name.
MHR said the security incident could affect PoS systems at 14 of its hotels in the United States. MHR North America operates 14 hotels in New York City, Los Angeles, Boston, Chicago and other cities in the Unites States, which means all its U.S. hotels could be affected.
There is no evidence that hotel property management and booking systems are impacted, MHR said. The company claims to have implemented additional security measures as recommended by its PoS service provider.
Earlier this month, HEI Hotels & Resorts informed customers that 20 of the hotels it operates in the U.S. are affected by a security breach involving payment card information. HEI operates more than 50 hotels in the United States, including Starwood, Marriott, Hilton, IHG Intercontinental and Hyatt properties.
Several other hotel chains have been targeted recently by cybercriminals, including Kimpton, Hard Rock Hotel & Casino Las Vegas and Omni Hotels.
*Updated with information from MHR

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
