April 13, 2015

In February 2015, KrebsOnSecurity reported that for the second time in a year, multiple financial institutions were complaining of fraud on customer credit and debit cards that were all recently used at a string of hotel properties run by hotel franchise firm White Lodging Services Corporation. The company said at the time that it had no evidence of a new breach, but last week White Lodging finally acknowledged a “suspected” breach of point-of-sale systems at 10 locations.

whitelodgingBanking sources back in February 2015 told this author that the cards compromised in this most recent incident looked like they were stolen from many of the same White Lodging locations implicated in the 2014 breach, including hotels in Austin, Texas, Bedford Park, Ill., Denver, Indianapolis, and Louisville, Kentucky.  Those sources said the compromises appear once again to be tied to hacked cash registers at food and beverage establishments within the White Lodging run hotels. The sources said the fraudulent card charges that stemmed from the breach ranged from mid-September 2014 to January 2015.

In a press release issued April 8, 2015, White Lodging announced the “suspected breach of point of sales systems at food and beverage outlets, such as restaurants and lounges, from the period July 3, 2014 through February 6, 2015 at 10 properties.

While it acknowledged some of the locations breached this time around were the same as last year’s victim locations, the company emphasized that this was a separate breach.

“After suffering a malware incident in 2014, we took various actions to prevent a recurrence, including engaging a third party security firm to provide security technology and managed services,” wrote Dave Sibley, White Lodging president and CEO, Hospitality Management. “These security measures were unable to stop the current malware occurrence on point of sale systems at food and beverage outlets in 10 hotels that we manage.  We continue to remain committed to investing in the measures necessary to protect the personal information entrusted to us by our valuable guests.  We deeply regret and apologize for this situation.”

White Lodging said the stolen data includes names printed on customers’ credit or debit cards, credit or debit card numbers, and the security code and card expiration dates. Naturally, White Lodging is offering a year’s worth of credit protection services for customers impacted by the breach, from Experian.

22 thoughts on “White Lodging Confirms Second Breach

  1. LtCrossbones

    Interesting. finally we get to see what happens to a firm that gets breached a 2nd time. I’m thinking nothing will happen but I remain a firm believer in “Exit, Voice and Loyalty”.

    1. Slaphappy

      There’s this company called Sony. You might want to check on their history concerning security breaches.

  2. NotMe

    I would hate to be the MSSP who let this go by.

    Firms breached a second time? Like Sony?

    1. LtCrossbones

      I’m specifically meaning 2nd POS breach.

      1. EstherD

        SUPERVALU / AB Acquisition / Albertsons / Star / et. al.

        Acknowledged first breach on August 14, 2014. Acknowledged second breach, which followed in less than a month, on September 29, 2014.


        That’s the grocery store chain *I* use regularly, which is how I know about it.

        Perps got my card, but the issuing bank saved my bacon by having really good customer service agents who were well-trained in security procedures. Otherwise, I probably would have been yet another victim of Identity Theft via PoS Malware!

        1. Sal

          Been there, Esther. Had my info snagged from my debit card at a popular restaurant. The bank immediately recognized what was a strange location for me to be at, froze the activity, and called me at home. Saved me a lot of grief. Only thing better would have been to find the creeps and have them busted.

    2. nov

      Let alone the real open-ended commitment to “continue to remain committed to … protect the personal information entrusted to us”, CEO.

      Hmmmm, let’s see what is said after breach three [We continue to remain committed to protect the personl information entrusted to us,”&#153–another trademarked pandering comment.]

  3. B_Brodie

    They could have at least offered a couple of free nights. Then again, the wifi is probably hacked too….

  4. Soy Tenley

    “… including hotels in Austin, Texas …”

    Where did you stay when you were in Austin for your book tour?

  5. SecureIAm

    More like “White Wash Dodging” never heard of these places, just like their security team has never heard of security. hah

    Ok, now I’ll sleep better knowing that:
    “White Lodging is offering a year’s worth of credit protection services for customers impacted by the breach, from Experian.”

    haha, And they ‘Experian’ only gave away your credit info to hackers in person, so you should trust them. only because they say so.

    “We continue to remain committed to investing in the measures necessary to protect the personal information entrusted to us by our valuable guests. We deeply regret and apologize for this situation.”

    Hey, Dave Sibley, Leave Security to the Professionals, and quit playing a game you know nothing about. also, Go Home Dave Sibley, you’re Drunk!

  6. Encrypt@POS

    Is there a shift on the horizon for US payment service providers to move away from solutions that perform encryption at the POS rather than at the EFTPOS terminal?

    It seems these breaches could be cut off at the pass if the data was not present for the RAM scraping malware.

    There is too much trust placed on merchant environments to protect card holder data and at the moment they are the softest target in the food chain.

  7. rick blaine

    I stay at Super 8 motels everywhere I go. No HIGH rollers there for sure! Plus, I run off with their complimentary soap and shampoo bottles.

    1. Mark Allyn

      Yes, there are lower rollers, but is that to say that the mathematical probabilities that super 8 is less likely to be hacked than a high roller place?

      A POS is a POS whether its in a high or low roller place.

      1. Freddie

        Haha, nothing against you Mark, but I’m used to seeing the acronym POS to mean something less polite than Point Of Sale, so I really enjoyed your final sentence.

  8. Jackie

    It’s amazing how many companies have been getting hacked recently. Even the White House was recently part of a security data breach. People really need to be more aware of the cyber security trends of our time so that they are able to prevent them from happening.

  9. mbi

    I find it disturbing that hackers got the security codes, too. Companies should find a better way to protect security codes like use a black box to crypt them before entering it into the POS system.

  10. JCitizen

    I tire of this! Let the clueless fall by the sword! 🙁

  11. CooloutAC

    Its gotta be employees that keep robbing them. I can’t help but keep thinking about these hacking gamer I used to play with that worked for a hotel in upper management.

  12. Roy Bercaw

    One more example of technology run amok. Always someone recognizes the potential for fraud, abuse, exploitation, evil and theft. Wait till electronic medical records, encouraged by the misguided White House health care laws, are breached.

  13. Thunderhead

    Had my credit card stolen by a Holiday Inn employee and used. Had my card debited for a stay when there was a credit card on file. Had to threaten to call cops before they would back off the charges.

    Holiday Inn requires you give them a credit card for ‘incidentals’ even if you have a cell phone, are a non smoker, and won’t watch pay per view movies. It is nothing but a security deposit.

    This is a scam. I asked one manager if he could guarantee my card would not be stolen by one of his employees. He did not like that.

    I terminated a 10+ year as platinum membership with them over this and moved onto another chain. They assigned my complaints to a very hostile individual and went toe to toe in both emails and over the phone. Corporate management did not care.

Comments are closed.