January 31, 2014

White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, KrebsOnSecurity has learned.

whitelodgingEarlier this month, multiple sources in the banking industry began sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year. But those sames sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago Denver, Los Angeles, Louisville and Tampa.

Turns out, the common thread among all of those Marriott locations is that they are managed by Merrillville, Indiana-based White Lodging Services Corporationwhich bills itself as “a fully-integrated owner, developer and manager of premium brand hotels.” According to the company’s Web site, White Lodging’s property portfolio includes 168 full service hotels in 21 states, with more than 30 restaurants.

White Lodging declined to offer many details, saying in an emailed statement that “an investigation is in progress, and we will provide meaningful information as soon as it becomes available.”

Update: Feb. 7, 9:32 a.m. ET: White Lodging has issued a statement acknowledging a breach at 14 hotels, including Marriott, Starwood, Intercontinental and other brands. Also, NBC is reporting that White Lodging knew about this breach two weeks before this breaking story was first published.

Original story:

Marriott also issued a statement, noting that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.” The statement continues:

“They are in the midst of the investigation and are in close contact with the banks and credit cards companies.  We are working closely with the franchisee as they investigate the matter.  Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide.  As this impacts customers of Marriott hotels we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.”

Other hotel chains franchised by White Lodging — including Hilton and Starwood Hotels (which owns the Sheraton and Westin brands) — could not be immediately reached for comment.

Sources say the breach appears to have affected mainly restaurants, gift shops and other establishments within hotels managed by White Lodging — not the property management systems that run the hotel front desk computers which handle guests checking in and out. In the case of Marriott, for example, all Marriott establishments operated as a franchise must use Marriott’s property management system. As a result, the breach impacted only those Marriott guests who used their cards at White Lodging-managed gift shops and restaurants.

News of the breach comes on the heels of similar attacks against major retailers. Last week, in response to questions about banks tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., the nationwide crafts and framing retailer said it “may have experienced a data security attack.” The company has so far declined to offer more information about the matter.

On January 10, upscale retailer Neiman Marcus confirmed that it was the victim of a hacker break-in that exposed customer card data. In a subsequent Q&A published on its Web site, the company said the breach at its stores extended from July 16, 2013 to Oct. 30, 2013, and may have impacted more than 1.1 million customer cards.

Target has said its breach — which ran from Nov. 27 through Dec. 15 — may have affected more than 40 million customer credit and debit cards, and name, address, email address and phone numbers for at least 70 million customers.


82 thoughts on “Hotel Franchise Firm White Lodging Investigates Breach

  1. Joey J.

    FIA card services replaced my VISA card last fall due to an alleged retailer data breach. Took some persuasion to get them to name Best Buy as the targeted party. Any information on this?

  2. TheHumanDefense

    Not sure what voter ID cards really has any impact or point in this blog relating to a breach.

  3. TheHumanDefense

    All,
    If you were to review the comments from many of us on this article and the other articles from recent, you might see a common factor.
    I read a lot, I really read a lot. I’ve been reading these and all of the other comments and discussions (insomniac) and it’s extremely entertaining and an excellent learning opportunity. There are such incredibly witty, intelligent and brilliant minds posting their thoughts here.

    Common factor:
    The human…..that’s it
    developers….administrative people, management…..marketing….and so on, and so on………..

    We must recognize that no matter the technology, the bad guys will always…..always use our human habits against us.

    I drive a Jeep…not the SUV version, but a real jeep. My friends some times comment on why do I drive a stick? Why did you get the soft top? “Dude, wait this is a 2009? What? You have to roll the windows up?” I like to feel the RPMs and shift by sound, and take the windows off without having to remove the top. Finally, I still have a key that unlocks the doors, starts the engine and locks up all of my internal storage. No motors to break, or stop working. My window crank stops working? I can replace it in about 15 minutes. Hopefully, some of you see a connection to security here.
    Anyway…..however, she still has ABS breaks, airbags, a full roll cage, and finally, 1 mile of fiber optic cables controlling the breaks, ignition, and all that connected to a computer. In fact, my insurance went down $100 a year because of the full roll cage.
    But if I drive like an idiot, like I cannot get hurt in my Jeep, I hurt others or potentially my family and then ultimately I might hurt myself.

    Me, I the human behind the wheel controls the next move. The next move may be my last……..or cost me a tremendous amount of money. For example, rear tire mounted tail gate=$2300 if not covered by insurance.

    I use to work cattle for a living, and it was as basic as it could be. Everything was so much more difficult, because a horse has an opinion, a very large and in your face opinion. If that horse doesn’t like you, they will find a way to let you know…..anyway.

    I tend to write my thoughts as they come to mind, and I hope some see my point here.

    One day if we could all meet up in one room, a few hundred pints and some good food what an awesome time we could all have sharing great information.

    Good luck all.

  4. ntengkofa

    Just last week, fraudulent activities started to pop up on my cc. Started to do my own research that led me to your informative articles and blog.

    I travel a lot and stay in the hotels a lot. I have been a very loyal customer for many years of one of the hotels involved in this data breach. When I shared your article with this hotel, they turned ludicrously defensive. It is all about business, they do not want to spread the noise.

    I am looking forward to hearing more from you. I am sure lots of people are monitoring the situation.

    May the force be with you Brian! Thank you!

Comments are closed.