Millennium Hotels & Resorts North America (MHR) informed customers on Thursday that it’s investigating a possible breach involving the point-of-sale (PoS) systems at over a dozen of its locations in the United States.
The company has hired a third-party forensics company to investigate the incident, but no malware has been found to date on any MHR systems. The information received by the hotel chain suggested that the systems processing customer payment cards, particularly at food and beverage facilities, may have been compromised between early March and mid-June.
MHR was first notified by the U.S. Secret Service and later by a third-party service provider that supplies and services the affected PoS systems. The service provider in question said it had “detected and addressed malicious code in certain of its legacy point of sale systems, including those used by MHR.”
This sounds like the third-party vendor could be Oracle-owner MICROS, which advised customers earlier this month to change their passwords after it detected malicious code on some legacy systems. MICROS was reportedly breached by a cybercrime group that targeted at least five other PoS vendors.
SecurityWeek has reached out to MHR to learn if the incident it’s investigating is related to the MICROS breach. The company says the third party is a significant supplier of PoS systems in the hotel industry, but has refused to disclose its name.
MHR said the security incident could affect PoS systems at 14 of its hotels in the United States. MHR North America operates 14 hotels in New York City, Los Angeles, Boston, Chicago and other cities in the Unites States, which means all its U.S. hotels could be affected.
There is no evidence that hotel property management and booking systems are impacted, MHR said. The company claims to have implemented additional security measures as recommended by its PoS service provider.
Earlier this month, HEI Hotels & Resorts informed customers that 20 of the hotels it operates in the U.S. are affected by a security breach involving payment card information. HEI operates more than 50 hotels in the United States, including Starwood, Marriott, Hilton, IHG Intercontinental and Hyatt properties.
Several other hotel chains have been targeted recently by cybercriminals, including Kimpton, Hard Rock Hotel & Casino Las Vegas and Omni Hotels.
*Updated with information from MHR