Hotel Company Reveals Second BreachPOS Malware Potentially Exposed Card Data
White Lodging Services Corp. has revealed a malware attack against point-of-sale systems at 10 of the hotels it manages, potentially exposing payment card data for an undisclosed number of customers. The disclosure comes about a year after the company confirmed a similar malware-related breach.
The Merrillville, Ind.-based company says POS systems in restaurants and lounges at the hotels were affected by the breach from July 3, 2014, through Feb. 6, 2015. The hotels are in Colorado, Illinois, Indiana, Kentucky, Michigan, Pennsylvania and Texas. Several of the hotels were also affected by a 2013 breach, according to the company's announcement when that incident was revealed last year.
The "unlawfully accessed data at risk" includes names, payment card numbers, card security codes and expiration dates, the company says. "Guests who used or visited the affected food and beverage outlets during the seven month-period and who used a credit or debit card to pay their bills at the outlets might have had such information compromised and are encouraged to review their statements from that time period."
White Lodging Services is offering one year of free fraud resolution and identity protection services to those affected.
The company says it manages hotels under agreements with the hotel owners and is a separate entity from the specific hotel chains involved, including Marriott and Starwood.
The latest breach was initially discovered on Jan. 27, 2015, when White Lodging Services was notified of some unusual activity on credit cards used at four Marriott hotels it manages, the company says.
"We quickly engaged a third-party forensic services provider to conduct an investigation. We also notified the U.S. Secret Service," the company says. "The preliminary results of the investigation revealed malicious software and remnants of such software on a number of the point-of-sale terminals used at food and beverage outlets at the hotels. Because this malicious software was detected, the credit/debit card data entered on these devices was at risk of theft."
Back in February 2014, the company revealed that 14 of its managed hotels were apparently hit by POS malware. That breach occurred from March 20 to Dec. 16, 2013, White Lodging Services reported. Breached systems in that incident also were primarily at restaurants and lounges.
"After suffering [that] malware incident, we took various actions to prevent a recurrence, including engaging a third-party security firm to provide security technology and managed services," says Dave Sibley, the company's president and CEO, hospitality management. "These security measures were unable to stop the current malware occurrence on point-of-sale systems at food and beverage outlets in 10 hotels that we manage. We continue to remain committed to investing in the measures necessary to protect the personal information entrusted to us by our valuable guests."
Upon learning of the latest malware attack, the company says it immediately contacted federal law enforcement officials and initiated a third-party forensic review. White Lodging Services is continuing to work with investigators and the credit card companies. No arrests in the incident have been made so far, the company adds.
"We are taking steps designed to prevent a reoccurrence based on our current and past experiences," the company says in its statement.
A White Lodge Services spokeswoman declined to provide further details.
A Common Struggle
Security expert David Kennedy, founder of the consulting firm TrustedSec, tells Information Security Media Group that it's common for a company to be struck by breaches more than once.
"Companies really struggle with what to do for security and when they get hacked; other hackers notice the lack of security and do the same thing," he says. "Hackers are also very hard to get out of your network once they are in - it could be the same group, just not fully removed from an organization.
"I would hope that any organization that suffers a breach puts significant controls in place to prevent it from happening again."
In another recent malware attack targeting hotels, global luxury hotel chain Mandarin Oriental Hotel Group in March confirmed a card compromise connected to breaches of its point-of-sale systems (see Two New POS Breaches Lead to Fraud).
One important step that businesses can take to help prevent POS breaches is implementing strong perimeter security controls, such as unified threat management appliances that have push capabilities for updated signatures, says Michael G. Mathews, president and co-founder of the security consulting firm CynergisTek.
"Now more than ever it is very important to segment the corporate network to isolate assets of differing risk," he adds. "Isolating things such as point-of-sale devices reduces the chances that malware can even make it on to the devices in addition to keeping the devices from being affected by other potential incidents on other segments of the network."