Data Breach , Payments

Banks: Starwood Breach Not Isolated

Issuers Suspect Another Large Hotel Chain Also Attacked
Banks: Starwood Breach Not Isolated

Starwood Hotels and Resorts has confirmed a point-of-sale malware intrusion that likely stole payment card data from a limited number of its hotels in North America.

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

But card issuers say they don't believe the Starwood breach is isolated, and that fraud patterns indicate that another, perhaps larger, breach is impacting cards across the country.

On Nov. 20, Starwood posted a notice to its website, telling customers that malware had infected certain restaurants, gift shops and other POS systems at Starwood properties. A full list of affected properties, which includes locations in New York, New Jersey, Texas and California, is provided here.

"There is no indication at this time that the company's guest reservation or Starwood Preferred Guest membership systems were impacted," Starwood states. "The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date. There is no evidence that other customer information, such as contact information or PINs, were affected by this issue. The affected hotels have taken steps to secure customer payment card information and the malware no longer presents a threat to customers using payment cards at Starwood hotels."

But one executive with a leading U.S. issuer on the West Coast, who asked not to be identified, tells Information Security Media Group that another large hotel chain, Hilton Hotels & Resorts, likely suffered a much larger breach that has yet to be publicly disclosed.

Hilton, however, has not confirmed a breach, and told ISMG on Nov. 19 that it was not aware of any network intrusion or suspicious fraud that would suggest a breach.

"We're starting to see significant fraud linking back to various Hilton properties," the executive says. "Initially, we thought timeframe started in April 2015. But based on new fraud trends, we believe it may go back as far as November 2014."

When asked if the fraud patterns could be linked to Starwood, rather than Hilton, this executive says no. "We are confident Hilton was also comprised."

Another executive with a different leading U.S. issuer, who also asked not to be named, tells ISMG that most banks agree Hilton suffered a breach; however, they've had trouble identifying the timing and scope of the attack.

"We are concerned about the activity going into the holidays," the executive says. "Many issuers I speak to are delaying their reissuance until after the holidays, or are going to clean up with new chip card issuance."

Hints of Hilton Breach?

In late October, First National Bank of Omaha told its cardholders that a card breach suffered by an "unidentified national business" had likely compromised debit cards issued by First National in seven states.

"We recently issued new debit cards across our seven-state service area to customers whose cards may have been compromised through a nationwide breach that has not yet been announced," First National spokesman Kevin Langin told The [Omaha] World-Herald on Nov. 1.

First National Bank could not be reached for comment, but sources tell ISMG they believe Hilton is the breached business that impacted First National customers.

Hilton Investigates Possible Breach

In September, just days before The Trump Hotel Collection confirmed a POS malware attack that compromised seven of its hotels for more than a year, Hilton said it was investigating a possible malware attack against its payments network (see Trump Hotels Confirms POS Malware Breach).

Security blogger Brian Krebs on Sept. 25 was the first to report a possible breach at Hilton. Krebs said numerous banks had reported seeing card fraud at restaurant and gift-shop POS systems in numerous Hilton locations, as well as at the company's Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts.

The suspected breach window was between April 21 and July 27.

Rash of Hotel Attacks

Attacks against hotel chains are becoming more prevalent. In addition to Trump Hotels, Starwood and possibly Hilton, hospitality company White Lodging Services Corp. and The Houstonian Hotel, Club and Spa also have suffered card breaches in the last year.

In February 2014, White Lodging, which manages hotel franchises such as Hilton, Sheraton and Marriott, announced that it was looking into a possible POS malware attack that may have impacted thousands of credit and debit cards at a number of its hotels across the U.S. That breach, which occurred in 2013, was later confirmed.

Then, in April, White Lodging reported a second breach, which attacked POS systems at 10 of the hotels it manages in Colorado, Illinois, Indiana, Kentucky, Michigan, Pennsylvania and Texas.

And in July 2014, The Houstonian confirmed that cyber-attackers had breached its payments system in December 2013 and that the attack went undetected for six months.

Card breaches in the hospitality industry are likely to continue for some time, says Al Pascual, director of fraud and security at Javelin Strategy & Research. "The hotel industry will continue to be a standout due to their resistance to re-terminalization [for EMV]," he says.

So what's the main message for banks and credit unions? To get EMV cards out to the market as quickly as possible, Pascual says.

"While EMV data is transmitted in the clear, the very limited use of this data, when compromised, will act as a long-term deterrent to breaches," he says. "This isn't a Target moment, but only a tremor leading to the larger quake."

EMV is the best breach deterrent the industry can invest in right now, agrees financial fraud expert Avivah Litan, an analyst at consultancy Gartner.

"The takeaway for the banks is that they need to move to EMV and issue EMV cards as soon as possible," she says. "This way they will avoid the liability on any fraud that does ensue from these breaches."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network