September 25, 2015

Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims.

hiltonIn August, Visa sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015. The alerts to each bank included card numbers that were suspected of being compromised, but per Visa policy those notifications did not name the breached entity.

However, sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: They were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, DoubletreeHampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.

In a written statement, a Hilton spokesperson said the company is investigating the breach claims.

“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” the company said. “We have many systems in place and work with some of the top experts in the field to address data security.  Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace.  We take any potential issue very seriously, and we are looking into this matter.”

As with other recent card breaches at major hotel chains — including Mandarin Oriental and White Lodging properties — the breach does not appear to be related to the guest reservation systems at the affected locations. Rather, sources say the fraud seems to stem from compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties.

It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.

This is a developing story. More as updates become available.


55 thoughts on “Banks: Card Breach at Hilton Hotel Properties

  1. Bob

    Hmm. We stayed at a Hilton Property this past June, but didn’t use any on-property services other than front desk check-in / out, so I hope we are safe. Haven’t seen any unexpected charges on the card used to pay for the room.

    1. Biz

      I stayed at a Doubletree in June. I used to purchase coffee and bagels in the morning. This past Saturday my bank notified me of fraudulent transactions against my account. Someone tried to use my debit card at a Target in the Bronx. My card is still in my wallet. Thankfully, the bank figured out it was fraudulent and contacted me via text and phone call. No fraudulent transactions were made to my account. Thanks People’s Bank!

    2. David

      I got a call from my credit card (VISA) bank’s fraud detection department today indicating that my card has been compromised and would need to be replaced. This was quite a mystery to me especially as I verified with the bank rep that all recent transactions were valid.

      However after finding this website I think the mystery is now solved. I did use my card at a restaurant at a Doubletree hotel during the time window in question. Although no fraudulent charges seem to have been made, I guess the bank is going down the list of possibly compromised cards and contacting people to replace their cards.

  2. David

    We received a new card in mid-August which the bank said was tied to a suspected event. Which was odd as the card is rarely used. But it was used at a Hilton brand on July 26, which may mean mystery solved.

  3. PM

    Always enjoy your articles. I’m not extraordinarily tech-savy, but your articles are written in a clear and concise form that allows me to understand. Keep up the good work Bryan.

  4. Nick

    Personal data point – Chase Sapphire Preferred Visa used at both the front desk and the hotel bar at a major Hilton property in Chicago on 6/6. Fraudulent charges began on 8/7, and the card was shutdown the same day.

  5. Robert.Walter

    So, if, according to the PR flak, Hilton is uber committed to card security and in doing so works with top men (“who? Top men!”), does this mean that there is no room for improvement? If improvement potential exists, and Hilton is über committed, then why didn’t Hilton pro-actively implement these?

    Until CEO’s and their firms are sued, pro-activity seems like an academic abstraction.

    1. JCitizen

      That is pretty much what I was thinking as I read the usual tired excuses! Plus + 1, to you sir!

    2. nov

      -1 point for Hilton x the number of cards breached x the number of experts that aren’t experts.

    3. Scott Sattler

      I interviewed with Hilton and had to mute the call as they described their security program and how it worked, it comes as no surprise to see them in the headlines. Hiring the cheapest labor force and pretending to care about security doesn’t cut it.

  6. FB

    I wonder if a card breach will be as damaging to the Hilton brand as Paris Hilton’s shenanigans.

  7. Robert.Walter

    I finally convinced a friend to put his Hilton HHonors AMEX into Apple Pay. I think he is now pretty happy to know that there is no way such a scam can compromise his card any more.

    1. Jon Marcus

      How does putting a card into Apple Pay protect it from a scam like this?

      1. Nilesh

        When you use Apple Pay your actual credit card number never gets transmitted to vendors payment system, instead a disposable card number gets transmitted.
        Even if vendors systems get compromised your actual card number never gets compromised.

        1. Robert.Walter

          It’s even better than that. Apple Pay is tokenized, so in addition to the alias card number (unique to each Apple device you own, i.e. Watch, iPhone, iPad), the device provides a single use pin code with each transaction.

          So even if your alias card number was captured by black hats, they wouldn’t be able to use it because they would need to know the new pin codes the bank is expecting for each subsequent transaction.)

          1. Jonathan E. Jaffe

            Yet “Apple Pay fraud is running a rate of $6 per $100 in transactions, some 60 times higher than normal.” “That six percent fraud rate is compared to a 0.1 percent fraud rate that banks see with traditional magnetic stripe cards.”

            some references
            http://money.cnn.com/2015/03/18/technology/apple-pay-fraud/
            http://blogs.wsj.com/digits/2015/03/03/fraud-comes-to-apple-pay/
            http://www.thestreet.com/story/13066345/1/as-apple-pay-fraud-grows-banks-scramble-to-fix-credit-card-flaw.html
            http://arstechnica.com/apple/2015/03/the-weak-link-in-apple-pays-strong-chain-is-bank-verification-whos-to-blame/

            Also – a one time charge card account is a huge time consumption when I order over the internet because I have to enter the card information each time. Worse, in the case of a multi ship where the card is charged each time for each partial shipment the one-use card won’t get authorized.

            There has to be a better way.

            Jonathan @nc3mobi

            1. Robert.Walter

              The fraud issue was not with Apple, or Apple Pay per se but with the various verification requirements of the issuing banks.

              It seems to me the fraud path was mitigated not long after the articles you cite were published, merely by banks requiring the cardholder to call their bank for final verification. Previously, fewer banks required this step.

              It would be interesting to see the current state of Apple Pay fraud as I expect, that since better verification requirements were implemented, fraud has probably dropped to benchmark levels.

              Ps I know you are promoting some other kind of system, but it doesn’t seem fair to knock alternatives with out of date references.

          2. Jonathan E. Jaffe

            Protecting the consumer’s confidential credentials with tokens is a good idea, but a solution focusing on card present only transactions with little consideration for the growing avenues of commerce using mobile and electronic communications is incomplete. Nor does it take into account the impact on total crime for smaller merchants with no physical presence. (page 9 of reference below)

            The volume (as opposed to value) of fraudulent transactions is at a four year high (page 11 of reference below) for both prevented and successful attempts. The costs of mitigation are also high.

            See True Cost of Card Fraud, a 34 page PDF from Lexis-Nexis September 2015
            http://www.lexisnexis.com/risk/downloads/assets/true-cost-of-fraud-2015-study.pdf

            There is a better way.

            Jonathan @nc3mobi

    2. Moike

      …. And the Hilton doesn’t take Apple Pay. Boom, my card was misused two weeks after a stay there.

      1. Robert.Walter

        You are right Hilton /= Apple Pay.

        Fortunately for him, he just received a Mariott Visa card, and put that into his iPhone’s Apple Pay wallet. According to their site, Mariott hasn’t completed their Apple Pay roll out, but it seems they are ahead of Hilton. I suspect my buddy will be staying at Mariott instead (he’s a Courtyard fan anyway).

        I would suggest that Hilton, as part of their upcoming cleanup and reputation overhaul, might want to embrace Apple Pay too.

  8. Sean

    Credit card vendors need to switch to embedded chips with OTP technology to ensure transaction security and prevent these types of scams. I don’t understand why one of the most technologically advanced countries on Earth is so far behind when it comes to credit card security!

    1. JCitizen

      Supposedly, since VISA came on board to force the issue, the rest of us in the US will soon have “Cowchip in Pen” I really thing it is a lot of expense for somthing that has been cracked by criminals already. Whether my bank with have OTP, I don’t know, but maybe that will improve the old chip/n/pin tech.

      1. Maurice

        Chip and Pin It hasn’t been cracked. As we Europeans could tell any American. There are a steady steam of breaches like this all based in the US and Mexico, none at all in Europe and our thieves are as good or better than any of yours.

        1. Sam

          I like how you take ownership of your thieves it’s rather comforting.

        2. jaded

          @Jordan, that break was 5 years ago and was corrected in the EMV protocol, as was the 2011 pre-play attack. Current Chip-and-PIN has no such demonstrated breaks.

          Also, keep in mind these attacks cannot be scaled-up like the breaches that hit Target, Home Depot, and so many other companies. These are only single card attacks.

          The primary risk of chip cards today is with Card Not Present transactions, and chip cards being mag-stripe skimmed in non-EMV terminals (the old-fashioned way.) Because EMV has no security requirement to encrypt PAN, it can still be skimmed and used on-line – even though EMV does not send a static CVV that can be reused, some web sites or shops can still be duped into accepting plain account numbers without proper authentication.

          These weaknesses exist only in the legacy systems, not in the EMV payment world.

        3. CJD

          Too bad the US isn’t doing chip and pin (we are doing chip and signature which takes far less to commit fraud.)

      2. Jonathan E. Jaffe

        JC – You are right on the expense! Regardless of who shells out the funds in the end it ALL comes from the consumer’s pocket. EMV does good things for card-present transactions, but until my phone and computer have slots how can I use it for my e-commerce transactions?

        There is a better way.

        Jonathan @NC3mobi

        1. John

          Jonathan, there are tokenization services that are essentially the on-line equivalent of ApplePay/GoogleWallet (they were available and in limited use many, many years before ApplePay and GoogleWallet). They go by various names, but the first vendor I knew of that tokenized card numbers was named Orbiscom before they were bought by Mastercard. Take a look at Wikipedia for “Controlled payment number” for more info. Thankfully Citibank offers “Virtual Card Numbers” that I use almost exclusively for on-line transactions. I think BofA offers them too. Discover used to, then stopped for a while- now I think they’re back? If banks had better promoted this technology _years_ ago, not only would fraud have been significantly reduced all these years, but consumers would be more educated and better prepared for the next evolution of the technology (such as ApplePay & GoogleWallet)

          1. Jonathan Jaffe

            I know of these pseudo-cards and they were helpful, but (as you noted) were another burden on consumers. BofA’s offering (as I recall) was a one-time use, you had to get one via the web, then use it. This required the consumer to enter the information each time on each site those cards were used.

            Consider where the consumer identification is a true-token (random to content), and the context-sensitive authorization is encrypted with a modest code, unique to each consumer then partially encrypted again with a provider-specific code. This is partial-dual-encryption. The merchant obtains the message via optical scanning (coupon scanners or even a smart phone) for physical presence, web file transfer or MMS transmission for electronic presence, there are even ways for non-presence transactions (think buying from a printed catalog or a utility bill received in the mail without using a computer). The merchant passes the message to the provider who can identify the consumer from the token (no one else can), retrieve the unique decryption code and approve or disapprove the transaction.

            Because the security is in the message (not dependent on the transmission medium) the concept works for all avenues of commerce, within existing transaction and communication systems, imposes no new hardware on the merchant, and because the security is not dependent on consumer control, breaks the traditional inverse relationship between increased security and ease of use. The concepts works with stock smart phones which means no expensive EMV cards or readers. Now, how can I get that in front of Ajaypal Banga?

            Jonathan @NC3mobi

    2. chuck fonta

      As one of my teachers would say: “People, think!” As long as the insecure business is not liable for the fraud, why would they implement costly security measures? To use a common expression, “Its no skin off my nose.” As I understand the law now, the vendor who honors the fraudulent card is liable, not the the criminal or the origin of the security leak. Banks and credit card vendors are now planning to pass down the liability to some one else, either the source of the security leak, the issuing bank or the accepting company. Can you imagine just how difficult it will be for the average card holder to prove who is responsible?
      So in the long run, the card holder gets to hold the stinking bag of fraudulent charges.

  9. Tim

    I’ve always enjoyed your reporting Bryan but lately you have really been on point. Thank you for producing this and providing it to us.

  10. Christian

    Chip cards would have done nothing to stop the theft of data from Hilton, Target, Home Depot, or name your favorite breach. Saying chip cards would have stopped this is a misleading statement. Chip cards do 1 thing only: prevent someone from making a duplicate fake card and using it. The chip is hard to copy. Chip technology without encryption in the devices (which is not standard) still sends the card number and expiry date in the clear. Hackers can still use this data to commit fraud. Chip technology has been around for 25 years and fraud in Europe still exists. Chip cards reduce it. Further the US is deploying the chip transaction with a signature not the chip card with a PIN number. No one checks a signature. If a PIN was required with all transactions, then the stolen card numbers would have little to no value except at some online retailers who still don’t support the 3 digit code on the back. Remember, the US is the largest economy by far and the amount of old systems is vast. Upgrading all of them takes a lot of money, expertise, and most importantly: time. There are other technologies that stop the theft in its tracks like encryption and tokenization, but they can be costly.

    1. icknay

      This myth keeps circulating for some reason (perhaps the Target-corps repeat it, trying to make it appear that there was nothing they could do). EMV will put a huge dent in Target-style breaches. Ask yourself this: why is it that all the breaches, Target, Home Depot, etc…. are in the US, not in EMV-using Europe? EMV has problems, but breach of card data is one case where it works well.

      1. jaded

        @icknay,

        Agreed. EMV absolutely would have helped reduce the scope of the Target and Home Depot breaches; only mag-stripe cards used in their terminals would have been at risk. But Target and Home Depot aren’t shilling for mag stripe cards, they both aggressively pushed chip terminals into all their stores. They are also at odds with the National Retail Federation, who is dragging their feet and whining for exemptions to the liability shift to not deploy EMV terminals by the scheduled date.

        Basically, every company that’s been breached is aggressively pursuing EMV.

  11. Eaglewerks

    From what I can tell from the above disclosures it seems that it was primarily a restaurant, gift shop, vendor breach, rather than an actual Hilton front desk breach. Is it possible the breached systems, dependent upon the location, may not have been under the actual security purview of the Hilton Corporation?

    My pet rant: “Live now, pay later. Diner’s Club! Why don’t you grow up, Baxter?”*
    I am not sure why so many people that respond to Krebs’ articles demand to have so much “plastic” in their lives. One must remember that average person consumer plastic (such as the original ‘Gold Card’ (from the First National Bank of San Jose) to the later BankAmericard, then to Visa and MasterCard which were invented to increase the consumer debt to those banks that issued the cards. These consumer credit cards have made banks very rich. Plastic for ‘high rollers’ or perhaps I should say ‘pseudo high rollers’ started in 1950 initially with Diners Club and then later expanded with Carte Blanche and American Express as competitors. In those days real high rollers and the uber rich simply signed their dinner, bar, hotel or purchase receipts. When not surrounded by assistants or a companion they would sometimes carry a few hundred dollars to use for the odd tip or incognito purchase.

    So in this ‘modern electronic age’ what does one that is not reliant upon a credit loan from their bank do? Well, the answer is simple. Always be security aware, but do not be a nervous ninny. Use a small balance checking account (personal or business), use a small balance nationally known Visa or MasterCard. A number of financial companies who issue stored-value or pre-paid debit cards containing a Visa or MasterCard logo can be used like credit or debit cards at shops and at ATMs. Make sure the one or two such cards you carry have Credit Card Consumer Protection Rights, some may not. You should be able to access all of the above via some form of electronic means, then from one of your other checking, money market or savings accounts transfer funds into the above as needed. Always carry some cash for your meals, small purchases or lattés. When traveling or on vacation, I have found that if I should run short on cash, the Hilton front desk has always been pleased to cash my check for perhaps $500.

    My biggest concern is actual personal and corporate computer hacking, and the lack of education so many seem to have around electronic security. That includes any item that potentially connects to any source external to the device itself.

    *In the 1960 film The Apartment, Jack Kruschen playing Dr. Dreyfus, makes a reference to Diners Club when lecturing Baxter (Jack Lemmon): “Live now, pay later. Diner’s Club! Why don’t you grow up, Baxter?”

  12. Mark

    I disagree with many posters on this thread. There is no way any business can protect your information, when that formation has value. In many hotels I am attacked in seconds, the moment I turn on the wifi card. I see the RDP streams very quickly on brand new fully patched notebooks.

    They are in the reservation systems that are connected to the micro data loggers that control the hotel energy use. They know when you are coming. Automation always comes before data protection strategies. The insecurity is built-in.

    1. CJD

      Actually there are 2 technologies, that when implemented, can reduce about 99% of this type of fraud. You use tokenization for the storage of ANY card data, making breaches that capture the card number from a post transaction database, worthless because it is a token that is worthless to them. Add End to End Encryption for the transaction itself, and hackers can no longer steal the card number during the transaction, because it is encrypted from the device that reads the card, all the way to the bank, and even the vendor doesnt hold the keys to decrypt that data.

      The only attack vector left after implementing those 2 items is physical fraud where the card readers have a skimmer placed on them to steal magstripe data before it even gets to the device for encryption. Nothing can completely stop that (EMV helps), but you SIGNIFICANTLY reduce the attack surface, because now someone has to physically touch every device they want to compromise.

      1. Jim

        PCI pretty much requires both of those. Tokenizing the account information is standard and saving CC information directly is forbidden. For the second point, SSL is required on all hops between systems. It’s kind of hard to encrypt from a magnetic stripe reader head to a bank mainframe directly so there are a few points in the process where the data is in plaintext. These are the vulnerable points that are exploited by hackers. The more secure systems reduce those vulnerable points to the absolute minimum.

  13. SvenforSecure

    Do anyone know, which Point-of-Sales Devices are compromised?

  14. A Suleymanovic

    It’s quite unfair to Hilton Hotels if the source of the breach is franchised shops and restaurants. Hilton has little control over these properties, not much different than any commercial property owner.

  15. Darth V

    What timely reporting for me, thanks Brian. Soon I’m booking a trip to Florida for this winter to visit my grandkids, and I *really* don’t need my bank card(s) compromised. Time to stock up on the prepaid CC’s & gift cards for use on the trip.

    1. Kl

      A little fyi if you are not aware, do not count on checking into a hotel with a gift card. The hotel will require a card that will authorize for your entire stay + tax. Usually, you can pay with the gift cards at check out, but that still may be a hassle and defeats you purpose of not exposing you card. (Source: I work front desk at a hotel). Thankfully, in the report, they are noting the the check in system does not seem to be in jeopardy.

  16. Jim

    To whom it may concern, my spouse received a new card number (due to a previous hack) and she used it at only a very few places before the bank contacted her to tell her it was hacked again. The one place it was used was Hilton on-line reservations (not the in hotel front-desk system, not a restaurant or gift shop). So whoever is digging into that mess better check up on the web site as well.

    1. Pedro

      Jim .. Same here. I have a Hilton branded card and I only use it when booking g and visiting Hilton’s in site. I was in Japan with it recently and 6 weeks later I used it once for an ONLINE reservation Hilton.com for an Australia based property. I too believe they have issues in the CRS and or website boomi g engine as well.

  17. memidsouth

    My card was cancelled and reissued due to an unspecified data breach as well, like many here. I know I did a transaction in late March at a restaurant in a Hilton hotel while attending MidSouthCon. Perhaps not coincidentally, during one of the three of the con, *the POS system crashed.* Could I have seen the symptoms of the actual breach as it was occurring at that particular location???

  18. Andrew

    Hi, Really nice post. I like so much this post. Security is very important for any organization. without security feel you and your business feel unsecured.

    Regard
    Bravosecurity | Security Guards Company

  19. Atle

    Also outside the US… My card was cancelled after being used at the restaurant in Hilton Slussen, Stockholm, Sweden in mid July.

  20. Elizabeth Norman

    I made a reservation at the Hilton San Diego Airport/Harbor Island for dates in November. I was not emailed a confirmation and forgot to ask for one on the phone. Stupid me. This morning I received an email from my credit union regarding possible fraud on my credit card. All this happened since I had called the Hilton. There were over $1000 worth of charges made to my account, the priciest for a resort in Thailand. Fortunately I have a wonderful credit union and will be receiving new cards in a couple days. I also called the Hilton and they said they had no record of a reservation for me. When I called back the credit union with this information, they said that there was a security breach with the Hiltons. Needless to say I will not be making another reservation with them.

  21. Janani

    Thanks for your details and explanations..I want more information from your side..I Am working in Budget hotel in chennaishould you need for any other clarification please call in this number.044-6565 6523.

  22. Ricardo

    Need cc info with high 7 digit balance western union transfer at affordable price paypal balance and blank ATM card along with ATM skimmer now available feel free to contact me if your interested……..
    Skype:mr_ricardohacker
    Email:hacker_ricardo@yahoo.com

Comments are closed.