Hotel major Hilton Group has admitted that its hotels' point-of-sale (PoS) terminals were compromised with malware. The malware was able to read transaction details, including debit and credit card information, in plain text when it was decrypted on their terminals to conduct the transaction.
The malware exploits a long-known flaw in the PCI-DSS payment security standards that does not stipulate that card data should remain encrypted when it is processed at a point-of-sale terminal. As a result, shop and hotel cash tills have been increasingly targeted in attacks as one of the easiest ways of surreptitiously gleaning payment card details.
The stolen information includes cardholder names, payment card numbers, security codes and expiry dates. Addresses and PINs were not been exposed, claims Hilton, although anyone who has stayed at a Hilton hotel in the past year would be advised to check their bank and credit card statements closely and, perhaps, to order new ones.;
Hotel groups face particular challenges with payment-card security as they tend to keep the details for a period of time after check-out, suggested Mark Bower, global director of product management, enterprise data security at HPE Security.
"Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in," he said.
He continued: "Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information."
In the statement released last night, Hilton claimed that it had "eradicated unauthorised malware that targeted payment-card information in some point-of-sale systems".
"As a precautionary measure, customers may wish to review and monitor their payment card statements if they used a payment card at a Hilton Worldwide hotel over a 17-week period, from 18 November 2014 to 5 December 2014 or April 21 to 27 July 2015," warned Hilton.
The attack on Hilton Hotels was first publicised by security blogger and journalist Brian Krebs some two months ago, after tip-offs from payment processors. The company appears to have started its investigation straight after Krebs' report was published.
"The company did not say how many Hilton locations or brands were impacted, or whether the breach was limited to compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties," noted Krebs.
Hilton is not the only hotel chain to have been targeted in this way. Last week, Starwood Hotel & Resorts Worldwide admitted that 50 of its locations had been hit by a similar breach lasting six months. Trump Hotel Collection, Mandarin Oriental and White Lodging have also admitted similar breaches.