HEI Hotels & Resorts, a hotel owner and operator based in Norwalk, Conn., reported that its hotels branded under the Starwood, Marriott, Hyatt, and InterContinental portfolios were the victims of a malware attack that lasted more than a year.
This data breach may have exposed customer payment card data from tens of thousands of transactions at 20 HEI Hotels properties. The list of affected properties, including the Boca Raton Marriott and The Westin Washington, D.C., for example, and the data breach periods can be found here.
HEI said it discovered the malware in its payment systems in mid-June and conducted an independent investigation, as well as transitioned its card payment processing to a system that is separate from the rest of HEI’s network. The investigation found that the attack took place from March 1, 2015, to June 21, 2016, and hackers may have gained access to customers’ names, credit card account numbers, expiration dates, and verification codes.
On its website, HEI said, “We are pleased to report that the incident has now been contained and individuals can safely use payment cards at all of our properties.”
Chris Daly, a spokesperson for HEI, told Reuters that the number of customers affected by the breach was not easy to estimate because they may have used their cards multiple times. Daly told Reuters that approximately 8,000 affected transactions took place at the Hyatt Centric Santa Barbara during the data breach, and that 12,800 transactions occurred at the InterContinental Tampa Bay during the malware attack.
In total, the breach impacted 12 Starwood hotels, six Marriott International hotels, one Hyatt hotel, and one InterContinental Hotels Group property. They include the Le Meridien San Francisco, Renaissance San Diego Downtown Hotel, The Westin Philadelphia, and The Westin Washington, D.C. City Center.