HEI Hotels reports point-of-sale terminals breach

The hotel operator said payment card information could have been stolen

security hacker privacy
Credit: IDGNS

HEI Hotels & Resorts has reported a possible compromise of payment card information at its point-of-sale terminals, the latest in a string of attacks on such systems at hotels, hospitals and retailers.

The company, which manages close to 60 Starwood, Hilton, Marriott, Hyatt and InterContinental properties, said it appears that malicious software was installed on the payment processing systems at certain properties, with the aim of harvesting the card data as it was routed through the systems.

The compromise may have possibly affected the personal information of some hotel customers who made payment card purchases at point-of-sale terminals, such as food and beverage outlets, at certain HEI managed properties.

HEI in Norwalk, Connecticut, did not specify how many people were likely to have been affected. The data compromised may have included payment card data, including name, payment card account number, card expiration date, and verification code, it said.

“We believe that the malware may have accessed payment card information in real-time as it was being inputted into our systems,” HEI said in a separate FAQ. It added that it does not store data like credit or debit card numbers of customers, or collect card personal identification numbers or social security numbers on its own systems.

The chain said it would not be contacting customers it thinks could be affected as it does “not collect or maintain sufficient information to locate and contact potentially affected customers.”

It said it would cooperate with investigations by federal law enforcement.

HEI spokesman Chris Daly said the company is working with credit card processors to obtain the exact number of unique card holders impacted. "Due to guests paying in multiple outlets during a stay or even visiting multiple times, or visiting multiple locations managed by HEI, an exact number is difficult to calculate. Furthermore, HEI does not store credit card details," he wrote in an email. The attacks at 20 properties were from March 2015 to June 2016.

Omni Hotels & Resorts in Dallas, Texas reported last month that malware hit point-of-sale systems at some of its properties, with an eye to pilfering payment card information. Hyatt Hotels, Target, Starwood Hotels & Resorts Worldwide and Hilton Worldwide Holdings, Neiman Marcus have also reported data breaches through their point-of-sale systems.