March 4, 2015

In response to questions from KrebsOnSecurity, upscale hotel chain Mandarin Oriental Hotel Group today confirmed that its hotels have been affected by a credit card breach.

mandarinReached for comment about reports from financial industry sources about a pattern of fraudulent charges on customer cards that had all recently been used at Mandarin hotels, the company confirmed it is investigating a breach.

“We can confirm that Mandarin Oriental has been alerted to a potential credit card breach and is currently conducting a thorough investigation to identify and resolve the issue,” the company said in an emailed statement.

The statement continues, indicating that some of the chain’s point-of-sale systems were infected with malware capable of stealing customer card data:

“Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law. The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio.Unfortunately incidents of this nature are increasingly becoming an industry-wide concern. The Group takes the protection of customer information very seriously and is coordinating with credit card agencies and the necessary forensic specialists to ensure our guests are protected.” 

Mandarin isn’t saying yet how many of the company’s two-dozen or so locations worldwide may be impacted, but banking industry sources say the breach almost certainly impacted most if not all Mandarin hotels in the United States, including locations in Boston, Florida, Las Vegas, Miami, New York, and Washington, D.C. Sources also say the compromise likely dates back to just before Christmas 2014.

It may well be that the cards are being stolen from compromised payment terminals at restaurants and other businesses located inside of these hotels — instead of the from hotel front desk systems. This was the case with hotels managed by White Lodging Services Corp., which last year disclosed a breach that impacted only restaurants and gift shops within the affected hotels.

It should be interesting to see how much the stolen cards are worth, when and if and they go up for sale in the underground card markets. I’m betting these cards would fetch a pretty penny. This hotel chain is frequented by high rollers who likely have hi- or no-limit credit cards. According to the Forbes Travel Guide, the average price of a basic room in the New York City Mandarin hotel is $850 per night.

More on this story as it becomes available.

31 thoughts on “Credit Card Breach at Mandarin Oriental

  1. Tom R.

    Brian –

    Why the radio silence on the FREAK SSL/TSL bug? I would think that you, of all people, would be all over that issue.

    1. Canuck

      Because despite its scary name there is not much to freak out about. And Apple and Google will quickly fix their ends.

      “In practice, I don’t think this is a terribly big issue, but only because you have to have many “ducks in a row”: 1) find a vulnerable server that offers export cipher suites; 2) it should reuse a key for a long time; 3) break key; 4) find vulnerable client; 5) attack via MITM (easy to do on a local network or wifi; not so easy otherwise),” said Ivan Ristic of Qualys.

      ~ from

      1. Sasparilla

        As an FYI, Firefox appears clean on all platforms I.E. 11 is clean, except on (I kid you not) the Windows 10 Preview.

        Safari won’t be fixed till the week of Mar 10th…not sure about Google Chrome, hopefully sooner if not already.

        1. Sasparilla

          As an FYI, its now come out that I.E. 11 is vulnerable (& probably other versions) on all versions of Windows and Windows Phone.

          Again, use Firefox on any platform (OS) and you’re okay (it requires the website and the browser to both be vulnerable to be exploited).

      1. Ryan

        I would guess the lack of coverage is due to servers already being patched against this with the GHOST vulnerability earlier this year. There are no new patches for openSSL and so if you did the right thing during GHOST, you’re fine. For that matter, GHOST wasn’t covered either on this blog which is fine by me at least.

        That doesn’t account for the client side of things (browsers mainly), of course.

  2. Tess Man

    Good thing my employer is too cheap to let me stay at one of their properties 😉

  3. Donald J Trump

    Don’t get FEAK out people, just another breach that the main stream media won’t cover in detail.

    1. KrebsRules

      That’s probably because mainstream Americans don’t typically stay at Mandarin Oriental hotels. Not to mention this wasn’t a breach of personal information, just card numbers. The more often they report these incidents the less the mainstream will take notice.

  4. Geetu Vaswani

    It is high time the US enforced Chip and PIN or One Time Password as additional level of authentication of card transactions. It is in interest of card holders.

    1. Sasparilla

      Very true…Congress, Senate and President should do this. I couldn’t understand why U.S. Banks are using the PIN on the new cards, until the other day when I heard an explanation that makes sense.

      The banks are afraid the users will find having to remember the PIN numbers (set when the chip is burned? and not set by them) hard to remember and hence they won’t use that card (compared to a card where they didn’t have the PIN – hence the race to the bottom of the security measure for the Chip n PIN transition in the U.S.).

      Bryan – it’d be great to have an overview article detailing what consumers can do to get Chip and PIN cards as this transition takes place.

      1. Sasparilla

        Mistyped “are not using PIN” as “are using PIN” above.

      2. Natasha

        Hi there, when we went to Chip and Pin in Canada few years ago, we had the same fear of customers forgetting their pin numbers. Indeed, for the first few months after we implemented it across 800+ locations, we had some unhappy customers. Some of the elderly people were particularly unhappy. Few major lessons learned in the process, especially around static electricity issues with the terminals, size of buttons make a big difference, user experience/flow of how these terminals are programmed, remembering to re-set default passwords and many others.

        The noise from the customers stopped after about 6 months, as people quickly were forced to remember their pins. This change lead to a significant drop in fraud rates in Canada as reported by Canadian Bankers Association. Of course, the bad guys are looking for Call Centre, On-Line and Mobile channels as their next target.

        Today, if you happen to find a store or a retailer that doesn’t accept Chip cards, you are really suspicious of their business, and tend not to go there again. If a restaurant server has to take your card away in order to process payment, it also looks suspicious.

        Now, Canada is moving to tap payments for transactions, point to point encryption, tokenization and DTMF masking for voice transactions.

      3. CJD

        But most US banks are NOT going to chip and PIN, they are going to chip and signature. The cost of reissuing cards is a huge sticking point for banks, but the REAL reason there is no rush for security is because of the liability model….customers aren’t liable for fraud directly, the banks eat the fraud and then pass it back to consumers.

        Chip and PIN is a step, but it is not a be all end all. Online fraud has skyrocketed in areas where chip and pin has been implemented. Also, most retailers support fallback to magstripe if the chip is damaged, which means you can clone a chipped card with only slightly more work.

        You can reduce card present fraud and breaches with 2 steps, that never affect the customer: use tokenization so that you never store a usable card number, use end to end encryption so that as soon as you swipe the card all the way to the bank for authorization the card number is encrypted and a compromised POS register means nothing.

        1. jlindema

          +1 Amen. …and since many POS terminals fall back to magstripe, it’s important that the card being used has a dynamic magstripe so the [tokenized] number (not a static number or PAN) is encoded on it. More focus on *how* the card number is associated with a consumer, and *how* that number is used by the payment processor- vs. “securing” the number itself… is the key.

          1. CJD

            You don’t even need anything special in the magstripe itself, you can do this with existing magstripes, which cures the issue of banks having to pay to reissue cards. The way we do it is we capture the card number, send it to the bank for authorization, and the bank replies back with a tokenized number for the transaction that can’t be reused, when our pos gets that token it drops the card number from memory and we store the token for historical and charge back purposes, for us, the card number is never actually stored. The other half of that is using the end to end encryption so that the pos is holding an encrypted, meaningless card number, so even if the POS is compromised they cant do anything with it.

            And tokenization doesn’t hurt for reoccurring transactions either. When you save your card number, say with your power company, so that you dont have to type it in every month, they store the tokenized version of the number. If they are hacked, those tokenized numbers are meaningless because they can only be used by that merchant through their bank, you cant use those tokenized card numbers elsewhere.

            All the answers to 99% stop card present fraud are out there. The problem is, no one wants to foot the bill for the solutions. Some banks charge for tokenization, some don’t but there is usually some additional coding costs required for your POS software. The end 2 end encryption is the killer, because it is a cost per transaction solution, usually between 2 and 4 cents per transaction – now that doesn’t sound like much, but for us (and we are a relatively small retailer) that comes out to almost $1.3 million USD per year, and that is a HARD sell to the C level’s, they don’t want to take 1.3M straight off the bottom line, especially when it is so hard to quantify what the costs of a breach are, and it is nearly impossible to quantify the likelihood of your company being next.

            This is where the liability model breaks security. As a retailer, you don’t want to incur that loss of millions per year in costs, when the cost of fraud isn’t something that you have to absorb. The bank wants to get their extra service fee because they incur part of the fraud costs, and because, why not, banks make a LOT of money on service fees. At first glance you would think that the answer would be to just add a couple of pennies to your pricing as a retailer, but retail is so ultra competitive, that no one wants to have that higher price, even when it is a few pennies, and for a retailer like us in the discount market, you can’t add those pennies on.

            So we will keep arguing about chip and signature cards being the answer, when they aren’t, and never address the real solution, unless the card brands can find a way to force retailers and banks to implement the encryption and tokenization under the PCI controls, but based on my experience, that is not at all likely to happen….

  5. Rick Blaine

    I had a new bank Visa card hacked within 2 months of being issued and it happened shortly after a visit to a small, rural bar n grill in Illinois.

    Don’t know if they can sell a card number that fast but the fraud transactions all showed up in Boston. Don’t have to be a high roller to have it happen to you.

    Any update to the Anthem hack?

  6. Christi Engle

    Card Data Breaches are real and they are effecting businesses of all sizes. Heartland, a leader in the payment space, protects its’ partners from card data theft through E3 encryption, and tokenization.

    1. Ryan

      Ohhh the irony, Heartland! 2008 wasn’t so long ago.

      To be fair, the end-to-end encryption and tokenization solutions being offered by several companies are a huge improvement to what used to be the norm.

  7. Bill

    “Unfortunately incidents of this nature are increasingly becoming an industry-wide concern.”

    It’s not our fault, everyone is having this problem!

  8. Scott Shaffer

    Why aren’t we seeing more class action suits against these companies for their mistakes? First, I would expect there are plenty of people with standing (unless there isn’t because the individual card holders don’t suffer a real loss even in the event of fraud?) And second, I would expect there are plenty of law firms who would salivate over the opportunity.

    I would think that once it became material to them to have a breach these industries would spend the money to protect our data adequately.

  9. Christi

    Heartland has been forthright with full disclosure of the 2008 Breach. As the old saying goes, “what doesn’t kill us, makes us stronger.” There are processors that are developing more secure technologies for data protection. My hope is that business owners begin to value and expect end-to-end encryption, tokenization and guarantees from breaches through the processor. I’m not here to throw stones

  10. Mike

    Has anyone heard of what systems were breached at Mandarin properties? Property Management System, Point-of-Sale?

  11. Steve

    The piece vaguely surmises that the card data were being stolen from compromised payment terminals but my money lands on the reservation system. Which usually doesn’t follow strict adoption of PCI and where card PANs are even stored as xerox or in plain text mail.
    The hotel trade neglects PCI on epic scale and argues that the reservation process in the hotel demands to store card data the way they did it for decades.

  12. jlindema

    Cards like Final (@final ) use tokenization, for any device and has a physical component (for merchants that don’t have NFC capable readers).
    It’s my belief that tokenization and *control*…is the best solution to card fraud.

  13. TK

    Credit card terminals are the easiest thing to hack. I hope the new terminals are smarter. Companies secure their webs & “clean” web inputs, why the companies don’t put some emphasizes on credit card input. I guess the reader shld get what I’m saying here. Good luck

  14. Lauren

    Thanks for sharing the information about Mandarin Oriental. It’s definitely scary when these issues are occurring more frequently.

Comments are closed.