Hilton is conducting an internal investigation following a report from an independent expert that it fell victim to a credit card breach at registers in gift shops and restaurants at several of its U.S.-based properties and franchises.
Brian Krebs, an independent security researcher who runs the blog Krebs on Security, broke the news on Friday that Visa first alerted several financial institutions and banks of a breach in security at a brick-and-mortar business between April 21, 2015 to July 27, 2015. Though Visa policy prohibits the company from identifying the business, it alerts consumers whose credit card numbers are believed to have been hacked.
According to Krebs’ post, sources at five different banks name several Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts, as the common point-of-purchase for the compromised cards included the alerts.
A Hilton Worldwide spokesperson issued a statement regarding the hack, saying the company is committed to protecting its customer information.
“We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter,” the statement said.
Krebs points out that the breach appears to be linked to a compromised point-of-sale-system rather than an issue relating to the guest reservation systems at the affected locations.
Still, this is not welcome news for Hilton, whose brand may temporarily experience some degree of backlash, Krebs says.
“[Hilton] will have to investigate whether the stores in their establishments are up to snuff with respect to the latest card security standards, and take remedial action if not,” Krebs tells Skift. “In the meantime, the company’s brand is likely to take a hit, even if the reservation systems within the hotels weren’t affected.”
Hilton is not the first hotel to come under fire forcredit card fraud due to compromised point-of-sale devices. Past hotels chains that fell victim to similar situations include Mandarin Oriental and White Lodging properties.
Krebs points out different measures hotels can take to protect themselves.
“They can take more responsibility for ensuring the card safety and integrity of the systems that run in franchised operations within their hotels,” Krebs says. “Many hotels outsource this out to third parties or completely franchise these operations. I think it’s clear that this hands-off approach is not sufficient.”