For the second time in a year, multiple financial institutions are complaining of fraud on customer credit and debit cards that were all recently used at a string of Marriott properties run by hotel franchise firm White Lodging Services Corporation. White Lodging says it is investigating, but that so far it has found no signs of a new breach.
In January 31, 2014, this author first reported evidence of a breach at some White Lodging locations. The Merrillville, Ind. based company confirmed a breach three days later, saying hackers had installed malicious software on cash registers in food and beverage outlets at 14 locations nationwide, and that the intruders had been stealing customer card data from these outlets for approximately nine months.
Fast-forward to late January 2015, and KrebsOnSecurity again began hearing from several financial institutions who had traced a pattern of counterfeit card fraud back to accounts that were all used at Marriott properties across the country.
Banking sources say the cards that were compromised in this most recent incident look like they were stolen from many of the same White Lodging locations implicated in the 2014 breach, including hotels in Austin, Texas, Bedford Park, Ill., Denver, Indianapolis, and Louisville, Kentucky. Those same sources said the compromises appear once again to be tied to hacked cash registers at food and beverage establishments within the White Lodging run hotels. The legitimate hotel transactions that predated fraudulent card charges elsewhere range from mid-September 2014 to January 2015.
Contacted about the findings, Marriott spokesman Jeff Flaherty said all of the properties cited by the banks as source of card fraud are run by White Lodging.
“We recently were made aware of the possibility of unusual credit card transactions at a number of hotels operated by one of our franchise management companies,” Flaherty said. “We understand the franchise company is looking into the matter. Because the suspected issue is related to systems that Marriott does not own or control, we do not have additional information to provide.”
I reached out to White Lodging on Jan. 31. In an emailed statement sent today, White Lodging spokesperson Kathleen Sebastian said the company engaged a security firm to investigate the reports, but so far that team has found no indication of a compromise.
“From your inquiry, we have engaged a full forensic audit of the properties in question,” Sebastian wrote. “We appreciate your concern, and we are taking this information very seriously. To this date, we have found no identifiable infection that would lead us to believe a breach has occurred. Our investigation is ongoing.”
Sebastian went on to say that in the past year, White Lodging has adopted a number of new security measures, including the installation of a third-party managed firewall system, dual-factor authentication for critical systems, and “various other systems as guided by our third-party cyber security service. While we have executed additional security protocols, we do not wish to specifically disclose full details of all security measure to the public.” Continue reading →