Five Hotel Cyber Security Breaches in 2015

Five major hotel groups in 2015 have confirmed data breaches at their properties nationally and internationally, underscoring cyber security issues plaguing the hospitality industry.

All of these hacks, with some of the activity extending back to 2014, involved malware that infected point of sale systems at gift shops, restaurants, bars, or other on-property products that exposed the identities and credit or debit card information of guests paying for such services. Hilton Worldwide, The Trump Hotel Collection, Starwood, Mandarin Oriental, and White Lodging Properties all confirmed they suffered credit card breaches.

Yet attacks are shifting gears, says Rurik Bradbury, chief marketing officer at Trustev, a company that detects and combats online fraud.

“Fraud is increasingly shifting toward the online space,” Bradbury says. “It is getting harder and harder to commit fraud in person because cards are getting chips in them….and it is getting very hard to forge a counterfeit card with a chip. What that means is it is more attractive to do fraud on the Internet.”

In the last year or so, online fraud has almost doubled, Bradbury adds. He says more than 1 percent of all dollars spent gets lost to online fraud in its various forms.

The issue is a serious one, Bradbury says, and as hotels gravitate toward more IT-centric operations, be it through loyalty programs or advanced check-ins, among other offerings, they become more vulnerable to hackers.

As the industry focuses its sights on beefing up its online security to take the utmost precautions to ensure their customers are safe against cyberattacks, these five hotels or management companies say they are cleaning up messes left behind by these breaches.

• Hilton Worldwide. In September, Hilton Worldwide launched investigations into a possible credit card breach at several of its properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts. Last month, the Hilton team confirmed the breach, citing unauthorized malware that targeted payment card information in some point-of-sale systems.
• The Trump Hotel Collection. The Trump Hotel Collection confirmed a credit card breach in October following reports of a possible hack that was first publicized in July. The hack affected customers who used their credit or debit cards between May 19, 2014 and June 2, 2015 at several Trump locations, including Trump SoHo New York; Trump National Doral; Trump International New York; Trump International Chicago; Trump International Waikiki; Trump International Hotel & Tower Las Vegas, and Trump International Toronto.
• Starwood Hotels & Resorts. Not long after Marriott announced in mid-November that it would acquire Starwood, the latter stated that hackers gained access to credit and debit card information of customers who dined or shopped at 54 of its hotels due to malware that infected sales systems in hotel gift shops, restaurants, and stores. The breach did not occur at front desk payment systems. Several Sheraton, Westin, and W Hotels were affected.
• Mandarin Oriental. The credit card systems at Mandarin Oriental hotels in the U.S. and Europe were hacked in March 2015 with malware that infected sales systems at several properties, and revealed the personal information of guests who used credit or debit cards for dining, beverage, spa, guest rooms, or other products and services between xxxx. Many were U.S.-based properties, with London, Hong Kong, and Geneva properties also affected by the breach.
• White Lodging Services Corporation. Hotel management firm White Lodging Properties announced a breach in data security in April 2015, saying that 10 of the properties it manages were affected by the attack. Its point-of-sales systems at food and beverage outlets such as hotel restaurants or lounges, suffered a malware attack. The hack affected the Marriott and Starwood brand families.