Hotel's Payment System BreachedAttackers Stole Credit Card Information for Six Months
For six months, cyber-attackers breached the credit card payment system for The Houstonian Hotel, Club and Spa, accessing account information about an undisclosed number of customers.
On June 10, the U.S. Secret Service notified the hotel regarding a potential breach in the organization's payment processing systems; The Houstonian then took mitigation steps, according to a statement provided to Information Security Media Group.
"As of June 20, we had fully replaced and overhauled the breached systems, further restricted access to all our servers and hired a data forensics firm to help us enhance our digital security," the hotel says.
The forensics team determined that an intruder illegally penetrated the hotel's internal computer systems between Dec. 28, 2013, and June 20, 2014. Credit card and payment information was compromised during that time, the hotel says.
State and federal law enforcement investigations into the incident are continuing. The hotel is offering affected individuals one year of free credit monitoring services.
A spokesman for the hotel declined to provide additional information.
It's too soon to speculate whether the perpetrators behind the attack were involved in other recent retail breaches, says Julie Conroy, research director of retail banking at Aite Group. "However, this just reinforces the message that there are numerous sophisticated rings that are actively targeting merchants of all sizes and their stored card data," she says.
"Merchants have to operate under the assumption that they will be breached sooner or later ... and take steps to better protect, tokenize and encrypt the data stored on their systems," Conroy says.
Andrew Komarov, a point-of-sale malware expert and CEO of cybersecurity firm IntelCrawler, says the hospitality industry is increasingly a prime target for hackers. "We have faced very similar breaches in the EU as well," he says. "There is a pretty big trend of hotels' receptions' POS terminals being compromised. Besides payment data, the bad actors can obtain sensitive PII [personally identifiable information] there as well about a hotel's visitors."
Long-term monitoring of compromised devices at hotels and tourism offices often yields hackers more, where card data is concerned, than attacks waged against retailers and restaurants, Komarov adds.
News of the breach at The Houstonian follows a similar incident in February that impacted hospitality company White Lodging, which manages hotel franchises including Hilton, Sheraton and Marriot (see: Hotel Company Investigating Breach). The company said the breach may have impacted thousands of credit and debit cards used at a number of its hotels across the U.S.
(Executive Editor Tracy Kitten contributed to this story.)