November 24, 2015

Two months after KrebsOnSecurity first reported that multiple banks suspected a credit card breach at Hilton Hotel properties across the country, Hilton has acknowledged an intrusion involving malicious software found on some point-of-sale systems.

hiltonAccording to a statement released after markets closed on Tuesday, the breach persisted over a 17-week period from Nov. 18, 2014 to Dec. 5, 2014, or April 21 to July 27, 2015.

“Hilton Worldwide (NYSE: HLT) has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems,” the company said. “Hilton immediately launched an investigation and has further strengthened its systems.”

Hilton said the data stolen includes cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs).

The company did not say how many Hilton locations or brands were impacted, or whether the breach was limited to compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties — as previously reported here.

The announcement from Hilton comes just five days after Starwood Hotel & Resorts Worldwide — including some 50 Sheraton and Westin locations — was hit by a similar breach that lasted nearly six months.

Starwood and Hilton join several other major hotel brands in announcing a malware-driven credit card data breach over the past year. In October 2015, The Trump Hotel Collection confirmed a report first published by KrebsOnSecurity in June about a possible card breach at the luxury hotel chain.

In March, upscale hotel chain Mandarin Oriental acknowledged a similar breach. The following month, hotel franchising firm White Lodging allowed that — for the second time in 12 months — card processing systems at several of its locations were breached by hackers.

Readers should remember that they are not liable for unauthorized debit or credit card charges, but with one big caveat: the onus is on the cardholder to spot and report any unauthorized charges. Keep a close eye on your monthly statements and report any bogus activity immediately. Many card issuers now let customers receive text alerts for each card purchase and/or for any account changes. Take a moment to review the notification options available to you from your bank or card issuer.


24 thoughts on “Hilton Acknowledges Credit Card Breach

  1. CyberGuy

    Cool. Another free credit monitoring product for my never-ending collection.

  2. StuartC

    “Hilton Worldwide has identified and taken action to eradicate unauthorized malware”

    So they’re happy to leave the AUTHORIZED malware in place? 😉

  3. Familiar with Matter

    The point of sale systems are from Micros aka now owned by Oracle. From what I have heard from people who work at Oracle is that there are many security problems and they are told by their bosses to make it clear to the customer that Oracle is not to be held responsible and that the customer is responsible for securing the pos system

    1. CJD

      That is pretty much the position of all POS vendors, save for those that sell all in one hardware and software solutions – and fairly so. To my knowladge, there has not been a single breach attributed to vulnerabilities in the POS software itself; in every major case that I am familiar with there has been poor perimeter defenses and terrible segmentation between corporate and POS networks, along with vulnerabilities at the OS and / or lack of solid antivirus at the POS itself.

      I have said it before, and I will say it again – take the time to implement application whitelisting at the POS as a part of your overall security strategy. It has served us very well, and is a big part of why I can sleep well at night.

      1. Kurt

        Do you have any whitelisting software that is known to work on Micros terminals? Oracle/Micros won’t even issue a recommendation or tell customers which ones work with a given version.

        1. cheedoe

          Any software that can whitelist, which is pretty much any/all endpoint security software or even some basic anti-virus software. Find out the addresses/ports of your remote connections and the addresses/ports of your processors for auth/settlements and block everything else.

    2. Gene W

      Thank you for those details. I have rarely seen confirmation that Micros POS was targeted in any of these hospitality POS breaches, although I expected it was involved in many of them due to its market position. We have taken the stance that implementing PCI DSS *properly* is the minimum that must be done for protection of systems such as these.

  4. Haseeb Ahmad Ayazi

    Why they took some much time to acknowledge? Companies focus more on earning and less on assuring the digital security of their customers.

  5. Zebetite

    “In October 2015, The Trump Hotel Collection confirmed a report first published by KrebsOnSecurity in June about a possible card breach at the luxury hotel chain.”

    Rather troubling when you realize that that particular chain’s owner is making a serious bid to be trusted with the US’s nuclear launch codes for four or more years…

    1. Jordan

      This matters just as much as Hillary’s husband hooked up with Monica.

    2. Paul

      Politics really ? Lets keep thing professional we have jobs to protect data and recover losses not express opinions , don’t be a drone.

  6. Sam

    With regard to the “Readers should remember that they are not liable for unauthorized debit or credit card charges” bit…

    Shouldn’t that read something more like “Readers should remember that they are not directly liable for unauthorized debit or credit card charges however the increased insurance and administration costs will be shouldered by everyone through ever-increasing merchant rates and credit card interest rates that only ever go up while all other kinds of interest rates go both up and down in conjunction with the ups and downs of the economy”?

    1. Blanche Dubois

      Zut Alors!
      Not quite. Details matter. Specific details matter even more…
      Know your Regulator rules for each US payment system before leaving your chicken house.

      From cash (vs. counterfeit cash; immediate confiscation) to paper checks (vs. pre-signed authorized; 48 hours) to debit card (vs. stolen # and PIN; 48 hours) to credit card (vs. stolen # and PIN; 60 days).
      M’gosh, that’s such a variable time spread across many payment systems for me to minimize my Consumer losses! How is a chicken to cope?

      Late news bulletin, my fine, feathers of pure gold, consumer chicken about to be plucked: If you don’t know the rules inside the cockpit, then you the Consumer, are the blinded chicken who is in the center, surrounded by the foxes. Good luck!

      (In keeping with the long internet tradition of distributing un-substantiated info by the electronic ton, don’t believe me. Check all of the above at w3.ftc.gov and w3.federalreserve.gov)
      Ya just can’t rely on the kindnesses of strangers anymore, except for me…

  7. Cassie

    I wonder why it took them so long to acknowledge it? I mean, the latest was July of this year, meaning almost 6 months ago. I have stayed at many hotels in this chain and now I need to check my card statements and such (I do that every month anyway).

  8. Greg Scott

    About whitelisting and such…

    Don’t put the whitelisting stuff on the POS terminals themselves. Just assume those POS terminals are all POS re: security, where POS has a couple of different meanings. Protect those POS terminals by isolating them behind an internal firewall and put your whitelist and access rules there. For the budget conscious, I spent many years building firewall systems based on Fedora Linux and scripts with iptables rules. Open source is a huge win with security.

    And the shameless plug – for anyone curious about how and why these breaches continue to happen, take a look at my new book, “Bullseye Breach,” a fictionalized story about a Minneapolis retailer named Bullseye Stores that loses 40 million credit card numbers to some Russians. The book website is http://www.bullseyebreach.com. One guy’s contribution to try to do something about our security problem by using an entertaining story to teach.

  9. Tony George

    Hogwash! Hilton has not been forthright at all. As a fraud analyst for a card issuer, I have proof that the breach is totally in their reservation system, started well before the first of the year, affects at least 8 of their 12 chains, and is STILL actively breached.

    This type of malware cannot be eradicated along the software channels – it will require a total hardware change – costing tens of millions of dollars and months and months to implement. Hilton is not willing to take this step. In my humble opinion.

    1. Jonathan Jaffe

      Tony: I look forward to reading about a large corporation that was skating on the thin ice and fell in.

      Please provide your proof to Mr. Krebs for verification and possible publication. Otherwise such claims are some much phlogiston.

      Jonathan @NC3mobi

  10. Dana Reese

    I stayed at the Hampton Inn (a Hilton Family Hotel) in Hobbs, NM in mid-October 2015 and my information was breached. So I agree this is ongoing or has been unresolved.

    The Hilton and the Local Owner of hotel have given me very poor customer service in communicating and their willingness to admit there is/was an issue.

    1. Tony

      Dana, the local hotel owner/manager is not able to assist in this regard – they are as in the dark as the consumer. This has to be dealt with on the corporate level. BTW, your card provider should handle your fraud issues, regardless of where the compromise occurred.

      1. Greg Scott

        I’m not so sure the issuing bank is on the hook for fraud anymore. After October 2015, when everyone is supposed to have EMV card machines, fraud liability now falls on the party with the least protection. So if the hotel never installed the new machines that read chip cards, the hotel itself might be on the hook for the fraud.

        Tony – you’re a bank fraud analyst? You would definitely like “Bullseye Breach.” It’s the only book I know of where a bank fraud analyst is a hero in the story.

        – Greg

  11. Tony

    Greg, you are correct in regard to the liability, but it does not befall the card holder to work that out. The bank does that behind the scenes. The card holder is not liable for the counterfeit charges, nor responsible for the mitigation of them.
    ~Tony

    1. Greg Scott

      Tony – true, the card holder is not liable. But let’s say Hilton “took its customers’ security seriously” in words only. The potential liability if Hilton took shortcuts with security safeguards could contribute to the jerking around Dana Reese reported.

      – Greg

Comments are closed.