White Lodging Services, an independent hotel management company, said on Monday that point-of-sale (POS) systems at 14 of its properties may have been breached, resulting in exposure of customer payment data from Mar. 20 to Dec. 16, 2013 at food and beverage outlets such as hotel restaurants and lounges.
The company also said that one property, the Radisson Star Plaza in Merrillville, IN, may have had both its point-of-sale system and its property management system used at the front desk compromised, indicating that hotel guests’ credit card information was put at risk.
According to the hospitality company, the food and beverage outlets affected by the suspected breach were the following hotel locations:
• Marriott Midway, Chicago, IL
• Holiday Inn Midway, Chicago, IL
• Holiday Inn Austin Northwest, Austin, TX
• Sheraton Erie Bayfront, Erie, PA
• Westin Austin at the Domain, Austin, TX
• Marriott Boulder, Boulder, CO
• Marriott Denver South, Denver, CO
• Marriott Austin South, Austin, TX
• Marriott Indianapolis Downtown, Indianapolis, IN
• Marriott Richmond Downtown, Richmond, VA
• Marriott Louisville Downtown, Louisville KY
• Renaissance Plantation, Plantation, FL
• Renaissance Broomfield Flatiron, Broomfield, CO
• Radisson Star Plaza, Merrillville, IN
The company did not say how many customers or card numbers could be affected as a result of the “suspected” breach.
“Guests at the hotels who did not use their credit card at these outlets, and guests who purchased to their room account at these outlets, were not affected,” the company said.
“Upon learning of the suspected data security breach, we immediately contacted appropriate federal law enforcement officials and initiated a third-party forensic review, including a review of all other properties managed by White Lodging,” the statement continued.
Attackers may have accessed data including names printed on customers’ payment cards, and payment card numbers along with the security code and card expiration dates.
“Guests who used or visited the affected businesses during the nine month-period and who used a credit or debit card to pay their bills at the outlets might have had such information compromised and are encouraged to review their statements from that time period,” the company said. The company also suggested that guests consider placing a fraud alert on their credit files.
With nearly $1 billion in annual revenue, White Lodging Services operates more than 169 hotels in 21 states under brands including Preferred Hotel Group, Marriott, Hilton, Hyatt, Starwood Hotels and Resorts, InterContinental Hotel Group and Carlson Rezidor Hotel Group.
“As we’ve seen with recent data breaches at retailers such as Target, Neiman Marcus and Michaels, credit card theft is becoming business as usual these days,” Marc Maiffret, CTO of BeyondTrust, told SecurityWeek in an emailed statement. “We might very well see a tipping point this year that finally draws national laws on reporting of such theft/breaches at a much deeper level than we have now.”
On Friday, security and cybercrime researcher and blogger, Brian Krebs, reported that the company may have suffered a data breach. Krebs said that in early January, sources in the banking industry “began sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year.”
