Omni Hotels Subtly Discloses Payment System Hack

In what I like to call a cowardly Friday afternoon data breach disclosure, Omni Hotels disclosed that several of its hotel properties were impacted by malware infecting its point-of-sale (PoS) systems. 

In an attempt to miss the news cycle and fly below the radar, companies often make data breach incidents public on Friday afternoons. While Omni Hotels is not alone in this tactic, the company did go a bit further in an effort to bury the incident, despite claiming that the privacy and protection of their guests’ information is a matter they take very seriously.

In analyzing the page hosting the breach notice, SecurityWeek discovered lines of code that specifically instruct search engines such as Google to not index the page and not include it in search results. 

If a company cares about the privacy and protection of customer information, why would they purposefully try to block search engines from indexing an important announcement?

In reviewing the code of other pages across the Omni Hotel site, it’s clear the web team knows how to work with search engines, as the company has well-crafted search engine optimization details coded into other sections of the site so that potential customers can easily find hotel information. 

However, the data breach notice interestingly includes the code below which actively instructs search engines not to index the page.

<meta name=”ROBOTS” content=”NOFOLLOW, NOINDEX” instart_patch_id=”17″/> 

SecurityWeek has contacted Omni Hotels for comment on both the timing of the breach announcement and reason for intentionally keeping the page from search engines. The company did not respond to our inquiry by the time of publishing.

In terms of the incident itself, the hotel chain said that on May 30, they discovered that malware had infected PoS systems at some of its hotel properties. 

“The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date,” the data breach notice said.

According to the company, the attacks did not affect all of its hotels, but they did not say how many or which hotels were affected. The company operates 60 hotels across the United States, Canada and Mexico.

“Depending on the location,” the notice reads, “the malware may have operated between December 23, 2015 and June 14, 2016, although most of the systems were affected during a shorter timeframe.”  

Many hotel chains reported being targeted by cybercriminals over the past year, including Hyatt Hotels, Mandarin Oriental Hotel Group, White Lodging Services, Hilton and Starwood Hotels. Hyatt reported in mid-January that 250 of its hotels from all over the world had been affected by a breach. This spring, the Trump Hotel Collection was hit by malware targeting payment card data.

Late last month, Hard Rock Hotel & Casino Las Vegas said that hackers managed to access customer payment card data through card scraping malware installed on systems running the resort’s payment card system. For the record, Hard Rock also had code on its data breach notification statement instructing search engines not to index the page.

Last week, Wendy’s revealed that PoS malware infected the payment systems at more than 1,000 of its restaurants, more than three times larger than the initial number announced in May. 

More than a dozen new PoS malware families have been discovered by researchers recently, including NitlovePoS, PoSeidon, MWZLesson, MalumPOS, Cherry Picker, AbaddonPOS, TreasureHunt, Multigrain, and many more.