On Friday, HEI Hotels, which operates Marriott, Sheraton, Hyatt, and Westin hotels in multiple states, notified the public that hackers had likely stolen credit card information from people who made payments at its properties in ten states plus Washington, DC.
According to HEI, "unauthorized individuals installed malicious software on [its] payment processing systems at certain properties [-- the malware was] designed to capture payment card information as it was routed through these systems." Because malware was capturing information at the time that payments were made, it is likely that the criminals captured not only the credit card numbers, expiration dates, and associated names, but also the cards' verification codes. Credit card data has likely been stolen from the hotels for quite some time; at some locations, problems may have begun as far back as March of last year.
While credit card companies may ultimately cancel the cards whose information may have been compromised, in the meantime, check the list of affected locations and dates of impact; if you made a charge at one of them during impacted date range you may want to be especially vigilant in checking your statements going back to the time the relevant breach is believed to have begun, and request a new credit card number going forward.
The good news in the case of the HEI breach is that many hotel guests may not have actually made charges at the hotels; people who did not actually use cards within the hotels themselves - but instead booked rooms through a central reservations number and then charged all incidentals to their room bills - may not have had their cards compromised.
In any case, credit card data breaches are becoming so frequent that related stories seem barely newsworthy unless they involve huge data leaks from major corporations. But, for those impacted, even a small breach can be significant. Besides the aggravation of having to deal with fraudulent transactions, fraudulently maxed out credit limits that prevent legitimate cardholders from using their cards until charges are detected and reversed, denied payments when an issuer cancels a card due to a suspected breach and fails to quickly notify the cardholder, and other payment issues, the stolen data can sometimes be used in various ways to commit non-credit-card-related identity theft.
Chip-enabled EMV credit cards cards were supposed to help reduce credit card fraud, but without the chip and pin feature - and without a viable solution for online payment security - credit card breaches and their related fallout are likely to continue for quite some time.
The current breach should also serve as a warning to brands that license their brand names to others: Make sure all parties using your brand name are cyber-secure. As George Rice, senior director of payments for HPE Security-Data Security notes: "This data breach highlights some unique data security challenges for the franchising industry. According to reports, this data breach has only affected around 20 hotel locations but is causing broad reputational damage to some of the largest hotel brands in the world."