Multiple sources in the banking industry say they have traced a pattern of credit card fraud that suggests hackers have compromised point-of-sale registers in gift shops and restaurants at a large number of Hilton Hotel and franchise properties across the United States. Hilton says it is investigating the claims.
In August, Visa sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015. The alerts to each bank included card numbers that were suspected of being compromised, but per Visa policy those notifications did not name the breached entity.
However, sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: They were all were used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.
In a written statement, a Hilton spokesperson said the company is investigating the breach claims.
“Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” the company said. “We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”
As with other recent card breaches at major hotel chains — including Mandarin Oriental and White Lodging properties — the breach does not appear to be related to the guest reservation systems at the affected locations. Rather, sources say the fraud seems to stem from compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties.
It remains unclear how many Hilton properties may be affected by this apparent breach. Several sources in the financial industry told KrebsOnSecurity that the incident may date back to November 2014, and may still be ongoing.
This is a developing story. More as updates become available.