White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, KrebsOnSecurity has learned.
Earlier this month, multiple sources in the banking industry began sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year. But those sames sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago Denver, Los Angeles, Louisville and Tampa.
Turns out, the common thread among all of those Marriott locations is that they are managed by Merrillville, Indiana-based White Lodging Services Corporation, which bills itself as “a fully-integrated owner, developer and manager of premium brand hotels.” According to the company’s Web site, White Lodging’s property portfolio includes 168 full service hotels in 21 states, with more than 30 restaurants.
White Lodging declined to offer many details, saying in an emailed statement that “an investigation is in progress, and we will provide meaningful information as soon as it becomes available.”
Update: Feb. 7, 9:32 a.m. ET: White Lodging has issued a statement acknowledging a breach at 14 hotels, including Marriott, Starwood, Intercontinental and other brands. Also, NBC is reporting that White Lodging knew about this breach two weeks before this breaking story was first published.
Marriott also issued a statement, noting that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.” The statement continues:
“They are in the midst of the investigation and are in close contact with the banks and credit cards companies. We are working closely with the franchisee as they investigate the matter. Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide. As this impacts customers of Marriott hotels we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.”
Other hotel chains franchised by White Lodging — including Hilton and Starwood Hotels (which owns the Sheraton and Westin brands) — could not be immediately reached for comment.
Sources say the breach appears to have affected mainly restaurants, gift shops and other establishments within hotels managed by White Lodging — not the property management systems that run the hotel front desk computers which handle guests checking in and out. In the case of Marriott, for example, all Marriott establishments operated as a franchise must use Marriott’s property management system. As a result, the breach impacted only those Marriott guests who used their cards at White Lodging-managed gift shops and restaurants.
News of the breach comes on the heels of similar attacks against major retailers. Last week, in response to questions about banks tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., the nationwide crafts and framing retailer said it “may have experienced a data security attack.” The company has so far declined to offer more information about the matter.
On January 10, upscale retailer Neiman Marcus confirmed that it was the victim of a hacker break-in that exposed customer card data. In a subsequent Q&A published on its Web site, the company said the breach at its stores extended from July 16, 2013 to Oct. 30, 2013, and may have impacted more than 1.1 million customer cards.
Target has said its breach — which ran from Nov. 27 through Dec. 15 — may have affected more than 40 million customer credit and debit cards, and name, address, email address and phone numbers for at least 70 million customers.
re: Merrillville, India-based
should that be Indiana instead?
I wondered the same thing. According to White’s website, it is in Indiana, not India.
It was a typo that has been fixed, thanks.
Many should be May in the second to last paragraph.
Typo India for Indiana still not fixed in 3rd para. as of 6:37 PST.
Would not have surprised me if it was India…
Thank India for producing IT guys, with we traveled century faster then we could.
Yet another scoop! Great work Brian. It’s a great time to be in InfoSec (cleanup)!
Hmm…restaurants & gift shops. They run point-of-sale systems, don’t they?
Clearly, the restaurant POS system would be online to the hotel’s property management system. If the gift shop happened to be a sublease, it may not be online. But more often than not, the gift shop would be online too. I’m speaking of full service hotels, not a cheap motel sitting next to a restaurant.
A lot of Hotel’s still use a serial connection to tie the restaurant POS system into the hotels property management system. The restaurant or gift shop would typically process it’s credit cards separately and just forward total amounts over during the end of day/night audit process.
In the case of full-service properties, there will usually be an interface between the Point of Sale, and Property Management Systems. This will allow the posting of charges to the guest’s in-house account. However, it is usually a limited interface that uses a fixed-format data transfer, rather than allowing open exchange of information between the two systems. The more limited and structured the interface, the easier it is for the programmers to write compatible interface software for differing systems. For example, a MICROS POS might have to speak to the Marriott FSPMS, or to a Maestro PMS, or an Opera front-end…
John, I would like to talk a bit with you. Could you please contact me at email@example.com at your earliest convenience, please? Thanks, Carlos
I found out about your site during the Adobe breach and since then I have been impressed with your work and attention to detail. Growing up with you must have sucked because you probably figured things out before everyone else did….from magic tricks, circling in every “Where’s Waldo” magazine at the doctors office where you found him hiding to who really shot J.R. Ewing on Dallas.
Keep up the great work and stay squatchy.
I share your admiration for Brian, but he was 6 or 7 years old when you-know-who shot J.R. Ah, the good old days of serial tv cliffhangers. That was one torturous summer.
Brian, keep up the great work you do.
Wonder if they were using the BMC suite on those gift shop and restaurant POS machines?
Mother of God, how many of these breaches are going to get reported? This has officially crossed over from ridiculous to pathetic.
They’ve always been happening… more are just being reported publicly than previously. We are still talking a fraction of what is actually taking place.
Even though you hear about all the security being applied to these websites and databases, in reality the actual level of security maintained by most businesses is pathetically inadequate.
Until businesses realize security should very well be at the TOP of their business model, break-ins like these are going to continue.
I can’t tell you how many times I had management say to me “we just can not allocate that much of our budget to data security.”
Wake up American business; data breaches like this could actually put you out of business.
Unfortunately, it’s already known there are at least 3-6 POS related breaches in addition to Target… If not more. Most haven’t come forward yet, if they ever will. We are just hearing about then one at a time.
Question for clarification purposes. Brian, you wrote:
“But those sames sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago Denver, Los Angeles, Louisville and Tampa.”
Does that mean the card numbers were only stolen from those locations (and possibly used elsewhere)? Or did you mean that fradulent charges were only attempted at those specific locations?
I know that sounds like a hairsplit of a distinction. But really, it matters. In the former, if the card info was stolen *from* those locations, that could indicate some sort of local attack, like a POS or card terminal skimmer. If the latter, that doesn’t narrow down how the card numbers were compromised, but it might mean that criminals simply attempted to use them at those specific locations.
Does that make sense?
That makes sense… but the answer is obvious. A ‘breach’ has nothing to do with where the fraud occurred. Clearly this is a situation where the named merchants lost the data.
The pattern of fraud refers to the common point of purchase. When a bank looks at a bunch of compromised customer cards, they try to find out if the cards were all used at the same place over a same period of time. That often offers very strong clues about where those cards may have been compromised: Specifically, which company or merchant had a breach that compromised those cards.
Stolen cards are typically used at big box stores and grocery stores.
Common point of purchase (aka “CPP”) actually typically relates to a merchant ID #, not a particular location. Moreover, it is usually detected on the payment card level, not the issuing bank level. The card brands have some sort of back end fraud detection algorithm that processes instances of fraud reported by issuing banks and then ties it back to a merchant ID where the cards were all used in common.
Many merchants have separate merchant ids for each location for many reasons, including charge backs, sales analysis by location, etc.
Ah Ha! Micros. From the story “The Great Cyberheist” by James Verini in the New York Times Magazine. “Hackers working with an Estonian contact of Gonzalez’s hacked into the Maryland-based Micros Systems, the largest maker of point-of-sale systems, and stole software and a list of employee log-ins and passwords, which they sent to Gonzalez.” That’s all you need to know.
Quoting Dennis above:
“It’s a great time to be in InfoSec (cleanup)!”
Having to deal with cleanup is emphatically *not* a good thing, nor does it make this a good time to be in infosec. While such cleanup may confer a limited degree of job security, the whole point is to not have incidents like these happen in the first place.
I truly hope that this was simply a poorly-considered choice of words on your behalf. There have been too many times where I have run across infosec ‘professionals’ with this attitude, and it upsets me to no end that there are people in this field who hold it.
To be honest, the problem with infosec are all the people who are bad at it… and management who refuse to implement reasonable controls even when a bright bulb points out to them what’s wrong.
It’s a systemic problem that infests IT, who has seen our ranks swell with people who don’t have any actual talent for the field but get into it because they think it’ll give them a reliable paycheck. Problem is that if they don’t have any talent for it, the paycheck tends to be pretty unreliable, but they haven’t quite figured that part out yet so they’re still clogging up the field.
I wonder what LMS they are running. There are only a few commonly used. And many of these companies tend not to patch nor upgrade to latest versions.
I have no idea what an LMS is, but their POS was made by Micros, apparently.
LMS = Lodging management system.
And Micros is a provider of them.
Don’t mean to split hairs on acronyms, but this is a perfect example of why I help security teams take the tech talk out of their awareness programs.
LMS = Logging Management System
LMS = Learning Management System (usually how a Human Resources Dept. presents training packages to employees or otherwise known as CBT or Computer Based Training)
Acronyms are dependent on where you work, what you do and what you have done in the past. They should only be used in situations for law enforcement and military. This way information they want to keep secret is kept secret. Unfortunately we use acronyms in front of employees who are not in a technical function, we alienate them. I am not assuming this, I can tell you this from experience.
THD & BK,
Not to worry, Tom means PMS (Property Management System). That’s the term most people and companies use… including Micros for their Opera PMS.
IHG and Marriott both have Opera, so nix the PMS. Marriott divested themselves of their foodservice operations back in the early 1990’s. I figure the giftshops and restaurants are still separate from Marriott, so nix ‘ole J.W. (Marriott). If the leak was at the CC processor there’d be cards from everywhere a la HPS, scratch them off too. Restaurants/GSs most likely report to the property manager White Lodgings; pending further details, the scrutiny will logically be with WL.
Micros provides interfaces that connect most POS systems to its Opera PMS system. The interface allows hotel guests to charge meals and other items to their room account. It is not uncommon for a property to have both POS and PMS systems from Micros.
Actually I did mean LMS (Lodging Management System) but I guess its use tends to imply the solution from Agilysys instead of a more generic term.
Good catch on the use acronyms, TheHumanDefense. I agree that their use can cause confusion. Thanks for building my awareness.
Some people would take that type of criticism the wrong way, and glad you could catch my sincere desire to just put a different light on you message, as I think it was an important note.
Not the first time Micros was involved in a breach.
It goes without saying, but people who simply pay cash for things are largely immune from all of this insanity. Sometimes you may even get cheaper prices, at the gas pump for instance.
I know, I know — “but my VISA gives me 1% cash back! And frequent flier miles!”. Meh. When I *have* to use a credit card for some online purchases, I use a “virtual” (one-time-use) number, then cancel it after I’ve received the order. Never been victimized by any of these CC info thefts.
But how much is your time worth? You can pay at the pump with plastic, but to use cash, you have to wait in line behind everyone buying cigarettes, candy and lottery tickets.
And how much time do you waste fixing broken credit or recovering from having your identity stolen? I’d say using cash and lining up takes about the same amount of time without the stress or hassles.
I have been a victim of credit card fraud twice in the decades that I’ve had credit cards. It was hardly an inconvenience, I spent maybe 2 hours tops speaking with the card providers, setting up my new cards, and the second time updating accounts with the new number. I think I would have spent far more time paying cash at gas stations over all of these years. I understand that those who are victims of identity theft are inconvenienced much more than I was, but I suspect the vast majority of credit card fraud is simple, like what I experienced. It would be interesting to see some stats.
Just want to add that I also take out rental cars regularly. I can remember several times when customers at the desk were unable to make reservations because they didn’t have credit cards. So here’s another example of inconvenience having a cash-only lifestyle. And online shopping, how is that done with cash? Buy a gift card with cash and then use it online? Not being contrary here, I’m actually investigating methods of payment so I can determine how best to handle mine.
One can use a rechargeable credit card for many things. I keep one with a balance of a couple of bucks and just transfer money to it when I am going to make a purchase (which takes about 3 minutes). That way if it were to get stolen (virtually or physically) the loss is very minimal, or purchase is declined when the fraudster tries to use it. One could also have 2 credit cards, one for day to day use and one which is only used for recurring payments. Not that those places couldn’t be breached, but with the trend over the past few years leaning towards high volume, retail is a great target. Easy to kill off a card that is only used for POS.
Brian, great work on these payment card breaches. As you know I work on data breaches from the legal side (e.g. helping companies understand investigate and understand their legal obligations after a breach). I have handled many payment card breaches and many of those have involved small and medium sized businesses (SMBs).
While I know that we all like to talk about the “Big Kahuna” breaches like Target, TJX and Heartland, the fact of the matter is that hundreds (if not thousands) of “little” breaches are happening each year in the SMB sector. Focusing on Target et. al makes it seems like these breaches are anomalies, but they aren’t they happen each and every day. If anything, while the payload is smaller, it is often easier to get into a SMBs point of sale system (they dont have the resources or knowledge to set up even basic security in many cases)
Similar to their efforts related to monetizing stolen cards, the bad guys have efficient / scalable methods for finding vulnerabilities present in SMB point of sale systems. They can scan the Internet, find open remote access ports and plug-in known default usernames and passwords for the top POS systems.
Your story here is a good example of how the attacks can scale. Once they discover a vulnerability in one POS, doing a little more detective work, they can exploit the same vulnerability in other locations.
So, overall, I think the SMB market is another big story. When you combine the number of breached cards in the SMB I am sure it rivals some of the bigger headline breaches.
Moreover, if you want to make the case that the PCI-DSS “approach” (as opposed to the PCI-DSS standard; which is perfectly fine in a vacuum) does not work, that case is best made in the SMB market. I have talked to the owners of the franchises, hotels and restaurants, and what they do is sell goods, rooms and food. They often know nothing about IT, let alone the 200+ requirements of PCI-DSS. They rely on their POS vendors to set up their systems, and those guys disclaim any all responsibility (and liability) for security and PCI-DSS compliance.
Great Work Brian and much appreciated for the effort you are putting in to share this information.
Wondering on the post mortem information from the Target breach. The crooks first collected the information on a Target server then moved it from there.
Could there be a rule/flag on an IDS for an admin to approve such a file transfer going out? Esp. when a large file is going out to one address, or range, or multiple files going out to the same address, within a short period of time?
…and the hits just keep on comin’
Who’s next? We should start a betting pool.
“Who’s next? We should start a betting pool.”
Anyone running Windows XP. :-Þ
If it is so easy to attack such large businesses, why would attackers even bother with small or medium-sized businesses? Simply put, lots of little attacks can quickly equal the same sort of payday, especially because smaller businesses may be less well-defended and take longer to discover intruders on their systems. A large business is ripe for attack and is easy to locate – attackers can use popular attack tools to find systems that have common vulnerabilities.
Four days ago the bank that issued my corporate credit card (which is ONLY used for work charges and mostly travel charges like airfare, hotel charges, and meals, given my job/role) called me and immediately cancelled and reissued my card. The issuer (JP Morgan Chase) said it was due to a data breach, but would not tell me which vendor was responsible or if there was actual fraud involving my account. I have never used this card at a Target, Neiman Marcus, Michael’s or similar shopping site. It’s also not used to purchase items online, generally speaking.
[My work card was also reissued about 18 months ago, in a similar but more vague “your credit information may have been disclosed by a vendor,” but they were much more lacksidasical about it, told me I could use my current card until the end of a trip I was on, said it was just a precaution/no need for alarm, etc. etc. etc.]
This time JP Morgan was firm – they called me and emailed me in the span of 15 minutes, said the card had to be cancelled immediately, there could be no delay, etc. etc. It was an interesting contrast to 18 months ago, especially since I could not see any actual fraud on my account online.
Anyways, I could NOT figure out what charges/vendor may have prompted this.
HOWEVER, I have stayed at approximately 75 different hotels in the past two years and paid using this card. This includes Marriott, Starwood, and Hilton properties. I wonder…..
Sad irony that these systems are referred to by the acronym “POS”.
These big companies seriously need to protect their data more
Brian you need to change the subject .Breach after breach, after breach its getting so boring .It must have been 5 or 6 breaches just in this mount alone .That is more the enough .Soon you be working 24/7 just to keep up with them all . There are hundreds possibly thousand of them going on every day and its been going on for years and years .Nothing will change until company s invest in IT security .Until then ……………..
Yes, I feel your sentiment, but it is still news, and important news at that. Of course there will always be breaches, but that is no reason to ignore them. Maybe if companies and the general public get a sense of how many organizations are owned, this will speed positive change.
Keep your ‘breeches’ on! I couldn’t agree more. Though it’s humiliating for the institutions involved, and they’d much rather these stories drown in the background noise, this is important. You said it, the magic word. Change. Though you’re certainly not a lone voice, you’re a trustworthy, knowledgeable and most importantly, LOUD voice.
Plus, I get the feeling you like the hunt. TallyHo!
How’s you’re Russian coming? Perhaps we could take up a collection for a few Berlitz lessons 😉
Too much change and your breeches fall down, exposing your private information.
I can tell you that just looking back over the last 2 years, and how many times I have seen the national news talk about this subject, and then compare that to 4 years ago, and it was almost never talked about.
I know of at least 8 times in the last year where your site was called out in a national news brief and that keeps the conversation going about just what is happening every day.
Thanks again for your time in putting the truth in writing. I know it’s hard work for you, and it’s well worth while.
Please do not be dissuaded from investigating and reporting on credit-card fraud. You often reveal information of value to non-specialists and alert us to threats that may not be fully reported by either the victims or the media.
Anyone notice their slogan on their website? “It’s the opportunity to make your mark.”
They need to change it to: “It’s the opportunity to make you the mark.”
Since we are now counting fraud victims in the multi-mil range, this issue has some serious legs. Most people you know will have been “touched” in one way or another. If one were politically inclined, there is some serious hay to be made from the sense of personal violation and feeling of insecurity and powerlessness.
Your average consumer (and I intend no insult) is truly unaware of what happens behind the curtain and get their advice on info-sec from daytime T.V. level pundits..”write CHECK ID on the back of your card, opt out of pre approved credit offers!” ohhhhhh…. goes the studio audience. They don’t understand how deeply broken the system is at it’s very heart.
Brian has done the country a service by providing simple explanations, that do not assume the reader has a background in IS/IT, telling some stories in lay-terms that are not in any way elitist or disrespectful (see “the value of a hacked PC”)
I foresee a time when Americans will seek protections for “security of Identity.” At it’s very core, I believe, that what this issue is about. Though I love to come here to read about the “under the hood” details of sundry network penetrations, as many of you do too. It’s modern techno horror noir. Terrifying at worst, informative at best.
Imagine a candidate for high office, offering up a new and improved “National ID” serving no surveillance mission. Offering only secure ID, fulfilling our governments sworn oath, “to protect against enemies both foreign and domestic.” Imagine that this offer comes right at the heels of yet another massive compromise (say..Disney resorts…) The candidate tells you that this new “National ID” will be loosely based on India’s very successful Aadhaar system ( http://en.wikipedia.org/wiki/Aadhaar )
Would you support her/him? I might. I know my parents would. Thanks to any/all for wading through this, it’s really been on my mind, how to build a better mousetrap (they always end up with too many moving parts!) and I keep arriving at the same, simple design. I promise this is my last post on Aadhaar.
I would support that candidate, under certain conditions.
But half of Congress is opposed to the requirement of showing a government-issued ID in order to vote. According to them, it’s racist. I can’t imagine that they would ever promote a national ID for tax filing or personal information security purposes because that would have to be racist as well, right? The premise of their faulty logic is that it’s soooo difficult for certain people to get any sort of government-issued ID, even many months in advance of its use. The ACLU web site says these poor people “would be required to navigate the administrative burdens”. Oh boy.
(Please nobody prejudge my political leanings based on this one post. I am non-partisan, sometimes supporting Dems, sometimes Repubs, sometimes 3rd party, sometimes none.)
The problem with voter ID is twofold:
1) It impacts low income voters far more than high income voters
2) It fixes a problem that virtually doesn’t exist – a handful of cases over the past 20+ years does not mean the government should strip voting rights from millions of citizens
If you can somehow get IDs into the hands of low income voters without expense, then at least you’re not instituting a poll tax. Poll taxes are illegal.
However there’s no way to get around #2. Why spend all this money to fix a problem that doesn’t exist? Because it strips people of their voting rights, most of whom by and large don’t vote for the party that champions voter ID.
I’m independent too but this is clearly a partisan issue being pushed by one party who thinks stripping citizens of their right to vote won’t backfire on them.
I would say it’s a partisan issue being pushed by one party pandering for votes from the people whose rights they claim to protect.
I don’t know about your state, but in mine a state ID costs $20, and eligible people can get them for free.
This is why we can’t have nice things. Politics.
It would be nice if we could just have some form of 21st century protections on ID. I find it dis-heartening that an ostensibly “less developed” nation can give this to it’s citizens, but we…. we probably never will. People will inevitably want to tie it to everything and anything. All I propose is a simple protected db that returns either a “yes” or a “no” based on biometric input.
Pie in the Sky.
I was just thinking that we probably need to revamp Congress so that there are several brances dealing with critical issues requiring highly specialized knowledge. How many of our current Senators and Representatives do you think could read that SecureWorks document and understand it? They revamped health insurance, but probably only the smallest fraction have any substantial depth of medical or insurance knowledge, and their IT knowledge is probably sorely lacking as well. They rely on panels and committees, visiting experts, contractors, etc. But they ultimately make their own decisions. I’m starting to think deeply about ways to get off of the grid, and I don’t just mean utility-wise. I don’t think we’re headed in a good direction, so every person needs to figure out how to best protect him/herself.
The funniest thing I am seeing lately due to all this reporting is the number of vendors with PowerPoints that say “Protect yourself from BREECHES!” At least three emails and one live presentation in the past week.
The “ee” form means something quite different than the “ea” form, but evidently marketers are not well-versed in proof-reading.
Of course, as “breech” does refer to coming out ass-first, I imagine it is an apt description of “PCI compliant” 😉
Time to stop using credit and debit cards.
I don’t know about debit cards (I don’t have one), but for the average person it’s almost impossible to stop using credit cards, isn’t it? Reservations (air, car, hotel) usually require them. And online shopping is tough without a credit card. Or am I missing some viable alternatives?
I agree. Stop using debit cards. Millions of individual people hitting back in the banks pocketbook by refusing to use their Visa or MC debit cards will hurt them. I also agree that it is hard to not use your credit card, but I think a message could be delivered if everyone stops using debit cards except at their bank’s ATM that would reduce their income and would be noticed greatly. I’ve stopped using my debit, switching to the credit card just means that I have to monitor my charges and send multiple payments each month after a charge is made via my banks website (more expense to the bank but not to me) to pay those charges before they incur interest. So stop using debit and start paying using the bank’s website more often. The will get the message eventually.
Dear Average Consumer,
“Nobody ever defended anything successfully, there is only attack and attack and attack some more.”
―George S. Patton
“Competition in the development of natural resources has the same history over and over again, regardless of the particular resource that is being studied.” Economics
All you can do to increase security is increase competition. Security increases drive out waste and drive down prices. If you aren’t driving down prices you will be driven out of business. You won’t need to be concerned with security.
“In the Season 1 episode “Prime Suspect” (2005) of the television crime drama NUMB3RS, math genius Charlie Eppes realizes that character Ethan’s daughter has been kidnapped because he is close to solving the Riemann hypothesis, which allegedly would allow the perpetrators to break essentially all internet security.”
…to be continued…let’s guess. They’ll be asking for ransom to be paid via bitcoin because it’s secure? All the hotel room security is broke.
Can you please let me know your other posts on Aadhar?
Check out the Michaels story. Comments will be found there. This isn’t my blog, so it’s kind of impolite to use it as my own stump. But, thanks for your interest.
You were just cited and credited on CNN.
I just saw that CNN report. The correspondent should have mentioned Krebs specifically when she opened her report instead of just saying “a security firm”. At least later on she did specifically name him.
Does anybody know who the credit card processing company is for these hotel groups?
I’m beginning to view these credit card breaches as terrorist attacks. I think the US should expand its definition beyond “violence”. The calculated disruption of our financial systems can be just as debilitating as violent attacks.