A large American hotel management firm that operates franchises for Marriott, Sheraton and Westin has confirmed that guests at 14 of its establishments were the victims of a credit-card hacking scheme.
White Lodging Services Corp. said the security breach affected people who used debit or credit cards at the restaurants or lounges of the following hotels, between March 20 and Dec. 16 of last year:
Marriott Midway, Chicago; Holiday Inn Midway, Chicago; Holiday Inn Austin Northwest, Austin, Tex.,; Sheraton Erie Bayfront, Erie, Pa.,; Westin Austin at the Domain, Austin; Marriott Boulder, Boulder, Colo.; Marriott Denver South, Denver; Marriott Austin South, Austin; Marriott Indianapolis Downtown, Indianapolis; Marriott Richmond Downtown, Richmond, Va.; Marriott Louisville Downtown, Louisville. Ky.; Renaissance Plantation, Plantation, Fla.; Renaissance Broomfield Flatiron, Broomfield, Colo.; Radisson Star Plaza, Merrillville, Ind.
In addition to the hacking of the points-of-sale systems at food and beverage outlets, White Lodging said the computer network that manages hotel guests' credit card information at the Radisson Star Plaza in Merrillville was also compromised.
(Merrillville, near Chicago, is where White Lodging head offices are located.)
The stolen information included customers' names, credit or debit card numbers, security codes and card expiration dates.
"We deeply regret and apologize for any inconvenience caused by this incident and remain committed to protecting all information entrusted to us by our guests," White Lodging said in a communiqué released Monday afternoon.
The chain said it arranging to offer one year of complimentary personal identity protection services to all affected cardholders.
The problem was first disclosed by computer security journalist Brian Krebs, who reported that sources in the banking industry noticed earlier this month a pattern of card fraud at hotels in Austin, Chicago, Denver, Los Angeles, Louisville and Tampa.
The breach of security took place between March 23, 2013 and the end of last year. Sources told Mr. Krebs that victims used their cards at restaurants and gift shops within hotels managed by White Lodging.
"One of our franchise management companies has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels. They are in the midst of the investigation and are in close contact with the banks and credit cards companies," Marriott said in a statement.
The fraud was likely made possible because, unlike users in Canada, many customers in the U.S. still have cards that have no built-in chips or PINs and are easily cloned, said Gary Warner, Chief Technology Officer at Malcovery Security.
Historically, hackers introduced malware into hotel computer systems through the online reservations system, Mr. Warner said in an interview.
In this case, however, the fact that the intrusion was limited to restaurants and gift shops but occurred in a number of different states, suggests that the hackers introduced the fraudulent computer code through an e-mail to an employee in a payment processing centre, Mr. Warner said.
A commenter on Mr. Krebs' blog reported that JPMorgan Chase bank cancelled and reissued his corporate credit card last week. The commenter has not made purchases at some of the retail chains recently known to be affected by data breaches but was a frequent traveller and had used his card during hotel stays.
Paul Hartwick, a spokesman for JPMorgan Chase, said the bank had no comment to make "at this time."
Mr. Warner said the breach could have come to the attention of bank investigators through two possible scenarios: card holders may have reported improper purchases on their monthly statements, or a security firm retained by the bank recovered card numbers from a website where hackers resell stolen data. In either scenario, the bank would have run computer analysis of the fraudulent transactions to retrace the merchant whose point of purchase was breached.
In the past, card issuers would have absorbed the losses, Mr. Warner said. Now, however, "as larger breaches occur, there's more pressure on banks to make sure that they recover the funds," he said.
News of the hotel card fraud problem came in the wake of another major breach that Mr. Krebs had also revealed, when retailing chain Target was hit by a massive hacking of consumer data during the holiday shopping season.
On Friday, a U.S. card-issuing financial institution, First Choice Federal Credit Union, filed a lawsuit against Target Corp., seeking damages for the costs stemming from the security breach.
In Canada, meanwhile, Bell confirmed that hackers had posted on the Internet during the weekend 22,421 user names and five credit card numbers belonging to small business customers.
"Bell is contacting affected small business customers, has disabled all affected passwords, and has informed appropriate credit card companies," the Canadian telecommunications giant said in a statement.