November 20, 2015

Starwood Hotels & Resorts Worldwide today warned that malware designed to help cyber thieves steal credit and debit card data was found on point-of-sale cash registers at some of the company’s hotels in North America. The disclosure makes Starwood just the latest in a recent string of hotel chains to acknowledge credit card breach investigations, and comes days after the company announced its acquisition by Marriott International.

starwood-home

Starwood published a list (PDF) of more than 50 of its hotel properties — mostly Sheraton and Westin locations across the United States and Canada — that were impacted by the breach. According to that list, the breach started as early as November 2014 in some locations, ending sometime in April or May for all affected hotels.

As with other ongoing hotel breaches, the malware that hit Starwood properties affected certain restaurants, gift shops and other point of sale systems at the relevant Starwood properties.

“We have no indication at this time that our guest reservation or Starwood Preferred Guest membership systems were impacted,” Starwood President Sergio Rivera wrote in a letter to affected customers. “The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date. There is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue.”

Starwood joins several other major hotel brands in announcing a malware-driven credit card data breach. In October 2015, The Trump Hotel Collection confirmed a report first published by KrebsOnSecurity in June about a possible card breach at the luxury hotel chain.

On Sept. 25, this author first reported that the Hilton Hotel chain is investigating reports of a pattern of card fraud traced back to some of its properties. Bank sources said the fraud pattern they’re seeing all traces back to restaurants and gift shops at various Hilton locations. The company hasn’t commented further beyond its initial statement in September that it was looking into the matter.

In March, upscale hotel chain Mandarin Oriental acknowledged a similar breach. The following month, hotel franchising firm White Lodging acknowledged that — for the second time in 12 months — card processing systems at several of its locations were breached by hackers. Each time, the breach was traced back to point of sale systems at food and beverage outlets inside the White Lodging properties.

Readers should remember that they are not liable for unauthorized debit or credit card charges, but with one big caveat: the onus is on the cardholder to spot and report any unauthorized charges. Keep a close eye on your monthly statements and report any bogus activity immediately. Many card issuers now let customers receive text alerts for each card purchase and/or for any account changes. Take a moment to review the notification options available to you from your bank or card issuer.


26 thoughts on “Starwood Hotels Warns of Credit Card Breach

  1. Chris P Bacon

    These types of breached continue without any type of real investigation by the federal government

    1. CJD

      What exactly would you like the govt to do about it? Federal law enforcement does usually get involved in these, at the least they want to talk with the forensic firm after they do their investigation. However, there is little that even the top federal authorities can do about these breaches. These large scale breaches are all being perpetrated by the same few groups over and over, and sold by the same people, all of which are in countries out of the US law enforcement’s reach (mainly Russia and other Eastern Bloc countries, occasionally China). In fact, Brian identified EXACTLY who was selling the cards from the Target breach, who is likely also at least involved with those that perpetrated the attack. And you know how much it matters? Zero, because the guy and his group are in Ukraine.

      What you should be asking is, “Why is our government pushing EMV (Chip credit cards) as the solution to these breaches, when better options exist?”

      1. lessismoreorless

        I threw out the idea in another thread to SIGN a whitehouse.gov petition for better consumer safe guards post breach:

        http://wh.gov/iVUzX

        An executive order (like Obama’s CHIP and PIN executive order last year) for common sense consumer protections for data breaches involving core personal information (SSN, DL, financial, health):

        * Automatically placing 90 day credit fraud alerts on behalf of victims immediately after notification and provide the option to enable an indefinite credit fraud alert without waiting for an identity theft incident

        * Provide option for free credit freezes and thaws indefinitely without waiting for an identity theft incident

        * Build on FACTA and redesign annualcreditreport.com to handle adding, removing, and thawing credit freezes and fraud alerts across ALL credit related bureaus

        * A minimum of 5 yrs of free ID/credit monitoring service chosen by the victim from a marketplace. Additional free 2 yrs for each subsequent breach victim experiences

        1. CJD

          Well first, and just IMO, executive orders aren’t the answer to anything, that isn’t how our system is supposed to work.

          That said, again, just IMO, we should be focusing all that effort and expense into real PREVENTION, not post breach mitigation. In reality, at least for CC breaches, there is so little actual exposure to the consumer, that while all the things you mentioned might provide a warm and fuzzy, they are mostly unneeded, not to mention, a good number of consumers would be FURIOUS with immediate freezes, I know I would be.

          We shouldn’t be wasting all this money on EMV, when it really isn’t the silver bullet they say it is – well I can’t say we shouldn’t go to EMV, but there are quicker, more effective things we can do.

          But the REAL problem / answer lies in the liability model of credit. As long as the consumer and the stores aren’t on the hook for nothing for a fraudulent transaction, because they are protected by the credit card brand, and as long as the banks and credit brands just pass all the losses for fraud back to the consumers in the way of higher fees and rates, then there is ZERO motivation to really fix anything.

          1. lessismoreorless

            Certainly agree that more comprehensive approaches are necessary. The problem is that comprehensive approaches tend to have a longer time horizon to get consensus on, and as you described, they can get derailed with outcomes that aren’t superior (EMV). For the sake of this argument, lets say the perfect comprehensive solution is being developed right now by a private company/goverment that would completely eliminate all fraud, but it won’t come out until 2018. The criminals are not going to wait to use the data dumps from the recent breaches until 2018. Millions if not billions of consumer and company dollars are on the line until then.

            The executive order can be useful here because it allows us to immediately employ whatever limited tools we have available (fraud alerts and freezes) in the near term while better solutions can be developed.

            Also, just to be clear, the petition DOES NOT call for automatic freezing. It calls for automatic 90 day ‘fraud alerts’ placed credit files when a breach of core info (SSN, etc) is disclosed. Freezing would still be consumer initiated, voluntary, BUT FREE for victims. More importantly all credit bureaus should be listed on an improved annualcreditreport.com style website and freeze/fraud changes could be done one place for all.

      2. Thr3atHunt3r

        Maybe starting with application whitelisting would be a good idea.

  2. pboss

    Conveniently, they’ve already accepted Marriott’s buyout offer. No need to worry about a share price drop!

  3. RW

    @pboss. Do you really think that Starwood could sneak this large of an intrusion passed the full discovery and due diligence required by law? Not a chance! Why risk it?

    1. Jonathan E. Jaffe

      RW: “required by law” and “done” are not the same thing. “due diligence” includes material items. The scope of the breach may have been pocket change (immaterial) to them. Still, do you think the voting Marriott shareholders might have liked to know about it before approving the purchase? Maybe they did.

      Or, has it just become a routine cost of doing business for them and a royal PITA for us? After all, in the end the consumer pays all the bills.

      CJD is right. There are better options, more secure, less expensive, easier to use and offer additional functionality.

      Jonathan @NC3mobi

  4. LessThanObvious

    Hotel security will always be a joke. The best you can do is have a burner card you don’t care about that you use at gas stations and hotels and such, a normal card just one you are willing to replace every year when it gets breached. Hotels staff non-technical people, pay little budget to IT and often staff desperate morons. They all have internet connectivity. It’s by nature a soft target with moderate value.

    1. RF

      This is a really good idea and the best one can do in the interim to protect their funds until better solutions are implemented. EMV isn’t the be-all-end-all solution even if PIN was required because the damn things will still have mag-stripes on the back of them until all the grannies and hold-out merchants pay up for the terminals and people get used to chipping transactions. To add, make sure the burner card is a credit card too, not a debit card. WAY easier to reverse the charges as opposed to a debit card.

    2. lessismoreorless

      Interesting thought – when you open a new credit card usually people ask for as big a limit as possible. But with a burner card (or a temporary credit limit change initiated by the consumer) I’d prefer a really small limit – maybe $200-400 so that damages could be controlled.

      Anyone aware of ways to ask for small credit limits on new cards, or to temporarily change the credit limit on an existing card?

      1. GM

        Yes , there is a way to switch your card on/off from your mobile phone. Or change the max amount that can be charged on your card in a single transaction, or in a day. There’s a cool app called C-Fence (www.c-fence.com). Your bank needs to offer it.

    3. CJD

      But why? Your max liability for a fraudulent, card present transaction is $50, and RARELY do card companies or banks even put you on the hook for the $50. Your liability if it is a card not present transaction (phone / web / etc) is $0. All you are protecting from if you do this is from having your main credit card turned off until you receive a new card in the mail, and you can basically mitigate that same risk by opening a second account and never using the card unless your primary card is turned off, and this way you don’t have to fight to get a lower limit.

      1. lessismoreorless

        @CJD:

        Well sure if I only care about myself, then agreed, a bank will reimburse whatever fraudulent charges appear on my credit card. But just because they reimburse me, doesn’t mean that money hasn’t been lost by someone (either a merchant, bank, or an innocent money mule in between). Someone is losing that money, if it isn’t you.

        Also, often times when abroad you’ll need cash for things and debit card might be in play. You don’t always get reimbursed for those, and if you do it takes a while. Thats why when I travel I used a no FOREX fee card with no ATM fees but only keep a few hundred dollars in it. I can always transfer more to the card in pinch online.

        1. Jonathan Jaffe

          Don’t be so sure about banks. There is a significant change in the presumption of innocence with the shift to EMV. See http://www.nc3.mobi/emv/#cpi and the case of a Mr Gambin, “who was refused a refund for a series of transactions that were billed to his card and which HSBC [ his bank ] claimed must have been made with his card and PIN at an ATM in ” even though Mr.Gambin proved he was NOT in [place where they said]. More info on the same page.

          Even if your provider does reimburse you please remember that is a cost to them and they pass costs to you. In the end the consumer pays all the bills

          Jonathan @NC3mobi

      2. lessismoreorless

        With that said, I agree its not really a widespread solution for anything of importance. Most fraudulent charges are small amounts in the beginning anyway right? Just brainstorming along with the other commenters 😉

  5. Robert.Walter

    Wonder if Marriott’s due diligence actions predicted or uncovered any of this. (Didn’t read article yet.)

  6. SeymourB

    It’s always interesting to see what stories get released late in the day on Fridays. Political organizations often wait until Friday afternoons, sometimes even evenings, to drop bombshell revelations about their organizations, hoping that by the time Monday rolls around most of the 9-5 set won’t look that far back into the news.

  7. JJ

    Gosh! Just found this out, now everything makes sense. For past 7-8 years I have had Starwood. Whenever I called to make a reservation, they would ask for my web password, and I never thought about it. Now, that I think about it, the stupid high school dropout operator had access to all my credit cards and details on my account. So,when I called last week for reservations, they had a new system. I needed a PIN. I told them I have never had to provide a PIN in 7 years and have never setup a PIN. She, insisted this was a standard practice and has been for a long time (sic! one month before sale). She would not accept my reservation. I had to ask for supervisor. So, just because they had a lousy security policy my information was probably compromised!! I smell corporate rats hiding stuff ….disgusting, want to see the CEO stripped of his bonus

    1. canuck

      “Now, that I think about it, the stupid high school dropout operator had access to all my credit cards and details on my account.”

      With an attitude towards others like that – hopefully karma strikes.

  8. Darrell

    You wouldn’t use the same password at multiple websites would you? Especially if that password had access to money.

    You wouldn’t hand your reusable password to a waiter or waitress to pay the bill at a restaurant would you?

    A credit card number is a reusable password with access to money. The credit card companies set up the system and then require vendors to go through the hell of PCI compliance to be able to accept the cards.

    Technology has now advanced far enough to enable removing the reusable password component of credit cards. It will take a few more years but I look forward to that being fully implemented and this particular type of reusable password becoming history.

  9. Jonathan Jaffe

    PCI compliance is no guarantee either.

    Q: How did Target pass its Payment Cards Industry Data Security Standard (PCI-DSS) certification examination? Quoting Target Chairman, President, and Chief Executive Officer Gregg Steinhafel “Target was certified as meeting the standard for the payment card industry in September 2013

    more at
    http://nc3.mobi/references/20131218-target/#20150921

    There is a better way

    Jonathan @NC3mobi

  10. Geekazoid

    I was principle PCI auditor for Dell in 2013-14 when we performed the audit for Hilton Worldwide. I was peripherally involved in the PCI audit for Nieman Marcus in 2012. I was centrally involved in the PCI audit for Home Depot in 2007. In each case, I advised management that their systems–their entire network, was vulnerable to attack. Each was for different specific reasons. But the one thing they all had in common was LACK OF SENIOR MANAGEMENT ATTENTION.

    Security is still an afterthought to the executive suite. These businesses are still being run as if today is 1985 instead of 2015. Management STILL believes “if it ain’t broke, don’t fix it”. So they continue to run on outdated hardware and unsupportable software. Hilton had one of their production systems running on a Sun Ultra 50 running Solaris 2.6. This technology is hideously outdated (a contemporary of Windows 95). But the funds and time/attention to upgrade 0r replace this system did not exist. There was no way that this could pass the 2007 audit standards, so they self-certified it as compliant. Later, they fired Dell and continued their PCI compliance project using only (overworked, uncaring) internal staff.
    Security cannot be an afterthought. It can not be thought of as a necessary nuisance. Until the Senior Management “gets the religion” of security, and implements in-depth, multi-layer security, nothing will change.

  11. Jack Smith

    I worked at Starwood over the past couple of years – they know their applications were like swiss cheese and open to hacking – they also did not fund a major security program during that time for $10M – Starwood got what they deserved!! Like how they kept it quite until after the Marriot Purchase!!

  12. CommonSense

    It seems to me, that there is a pattern here that most likely points back to payment processors. Why isn’t there a greater spotlight on these type companies, and their security controls?

Comments are closed.