Posts Tagged: Starwood breach


4
Apr 16

Sources: Trump Hotels Breached Again

Banking industry sources tell KrebsOnSecurity that the Trump Hotel Collection — a string of luxury properties tied to business magnate and Republican presidential candidate Donald Trump — appears to be dealing with another breach of its credit card systems. If confirmed, this would be the second such breach at the Trump properties in less than a year.

Trump International Hotel in New York.

Trump International Hotel in New York.

A representative from Trump Hotels said the organization was investigating the claims.

“We are in the midst of a thorough investigation on this matter,” the company said in a written statement. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

KrebsOnSecurity reached out to the Trump organization after hearing from three sources in the financial sector who said they’ve noticed a pattern of fraud on customer credit cards which suggests that hackers have breached credit card systems at some — if not all — of the Trump Hotel Collection properties.

On July 1, 2015, this publication was the first to report that banks suspected a breach at Trump properties. After that story ran, Trump Hotel Collection acknowledged being alerted about suspicious activity tied to accounts that were recently used at its hotels. But it didn’t officially confirm that its payment systems had been infected with card-stealing malware until October 2015.

The Trump Hotel Collection includes more than a dozen properties globally. Sources said they noticed a pattern of fraud on cards that were all used at multiple Trump hotel locations in the past two to three months, including at Trump International Hotel New York, Trump Hotel Waikiki in Honolulu, and the Trump International Hotel & Tower in Toronto. Continue reading →


15
Jan 16

Hyatt Card Breach Hit 250 Hotels in 50 Nations

If you stayed, ate or played at a Hyatt hotel between Aug. 13 and Dec. 8, 2015, there’s a good chance your credit or debit card data was stolen by unknown cyber thieves who infiltrated many of the hotel chain’s payment systems. In its first disclosure about the scope of a breach acknowledged last month, Hyatt Hotels Corp. says the intrusion likely affected guests at 250 hotels in roughly 50 countries.

hyattIn a statement released Thursday, Hyatt said the majority of the payment systems compromised by card-stealing malware were at restaurants within the hotels, and that a “small percentage of the at-risk cards were used at spas, golf shops, parking and a limited number of front desks.” The list of affected hotels is here.

Chicago-based Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including Hilton, Starwood, Mandarin Oriental, White Lodging (twice) and the Trump Collection.

ANALYSIS/RANT

U.S. banks have been transitioning to offering chip-based credit and debit cards, and a greater number of retailers are installing checkout systems that can read customer card data off the chip. The chip encrypts the card data and makes it much more difficult and expensive for thieves to counterfeit cards.

However, most of these chip cards will still hold customer data in plain text on the card’s magnetic stripe, and U.S. merchants that continue to allow customers to swipe the stripe or who do not have chip card readers in place face shouldering all of the liability for any transactions later determined to be fraudulent.

The United States is the last of the G20 nations to enact this liability shift, and many countries that have transitioned to chip card technology have done so through government fiat. Those nations also almost uniformly have seen card counterfeiting fraud go way down while thieves shift their attention to targeting e-commerce providers.

Although cyber thieves still steal card data off the magnetic stripe from customers of banks in nations that long ago shifted to chip-cards, that card data is typically shipped to thieves here in the United States, who can counterfeit the cards and use them to steal merchandise from U.S.-based big box retailers.

What’s remarkable about the U.S. experiment with moving to chip cards is that the discussion about whether and when to move to more physical security (chips) in credit and debit cards has played out almost entirely apart from the move to impose expensive and increasingly labyrinthine compliance regulations (PCI) on merchants that wish to process or accept card transactions.
Continue reading →