Hilton Worldwide confirms that Point of Sale systems at some of its locations around the world have been infected with malware which was targeting personal information when processing card transactions.
Information targeted includes cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs). Hilton says it has launched an investigation and has further strengthened its systems to prevent repetition.
Working closely with third-party forensics experts, law enforcement and payment card companies on this investigation, Hilton Worldwide determined that specific payment card information was stolen over a seventeen-week period, from 18 November to 5 December, 2014 or 21 April to 27 July, 2015.
Hilton is yet to share exactly how many or which hotel locations may have been affected by the breach, and which point of sales devices were affected. Brian Krebs has reported that the fraud seems to stem from compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties.
Reporting on the breach back in September, Krebs quotes a 'banking industry' source saying that the company knew about fraudulent activity as early August of 2015, but Hilton only officially announced this last night, after opening an investigation back in September.
According to Krebs, Visa sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity that is known to have extended from April 21, 2015 to July 27, 2015. The alerts to each bank included card numbers that were suspected of being compromised, but as per Visa policy those notifications did not name the breached entity.
SC emailed VISA to ask if a change of policy is planned with regards to notifying customers of incidents and a VISA spokesperson responded: “When a data compromise is suspected, Visa's first priority is to ... notify financial institutions so that they can take steps to protect consumers through independent fraud monitoring, and if needed, reissuing cards. Even a slight delay in notification to financial institutions could be costly in terms of fraud prevention." “The good news is that less than six cents out of every US$100 transacted with Visa is attributed to fraud, ... [and] fewer than two to five percent of accounts that are potentially at risk as a result of a data breach ever experience fraud as a result."
Hilton urged customers who used their payment cards during that time to monitor their card statements for fraudulent activity. Hilton is offering what has become the standard one-year complimentary credit monitoring and is posting updates on details as they emerge at hiltonworldwide.com/guestupdate.
The statement comes shortly after Starwood announced that some of its hotels, including Sheraton, W, and Westin properties, had also been hit by malware designed to steal payment card details from point-of-sales systems.
Justin Basini, co-founder and CEO of ClearScore said to SCMagazineUK.com by email: “Hilton Worldwide customers face a very real threat of fraud – people will be worried that their personal details may already have been sold on to criminals looking to instigate phishing attacks. Customers need to be proactive in looking out for suspicious or unexpected activity, such as someone taking out a credit card or loan in their name. Hilton Worldwide customers should check their credit reports to monitor for any unusual activity. Any unusual behaviour should be reported to Action Fraud.”
Ryan Wilk, director at NuData Security, said to SCMagazineUK.com by email: “While we can't know for sure what hackers long-term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits to maximise their efforts before moving on to the next industry. Once they get the card numbers, hackers then sell them on the Dark Web, use them directly in credit card cycling scams, or tie them to other data leaks to create full personas ripe for identity theft or fraudulent account creation, likely contributing to the overall increase in account takeovers we've seen, over 100 percent increase since February 2015.”
Kevin Watson, CEO at Netsurion, in commented in an email to SCMagazineUK.com calling news of the breach “unsettling, especially as millions of Americans are preparing to travel for the upcoming Thanksgiving holiday.”
He added, “It's a harsh reminder that no business is immune to cyber-criminals, and it's especially important during the holiday season for merchants, retailers, hotels and hospitality businesses that process payment data to understand that they are lucrative targets.”
Watson highlighted that it is, “essential” for Hilton and others, “to protect customer data and ensure that stronger security measures are in place for their networks, payment systems and on-premise Wi-Fi services.”
By prioritising those areas now, hospitality organisations can then “focus on the core business of providing customers with exceptional dining, lodging, event and travel experiences during the busy holiday travel period.”
Mark James, security specialist at IT Security Firm ESET discusses what should Hilton do now. “Hilton must make sure it keeps its customers notified and up to date. It needs to review its hardware that handles credit card data and ensure it is using the latest operating systems and also periodically updated and patched with the latest security patches as soon as they are released. Having a good Internet security programme that updates regularly is a must to help protect their users' data. We the public need to know as soon as it happens with a good clear indication of what when and where it happened to enable us to properly protect our finances from future abuse.”
When asked what should customers do now Mark said: “If you don't already, you need to keep a close eye on your bank statements and you may want to consider using a separate credit card for all transactions that may be insecure. If you find anything amiss however small it may seem you need to call your card issuer immediately, they will protect you if you notify them in good time. Be very wary of any “out of the ordinary” emails or phone calls with some validated data asking for more personal information. If in doubt, cancel the affected card and get a new one reissued as soon as possible.”