According to multiple sources in the banking industry Hilton Hotel and franchise properties have been hit with a payment card breach. Brian Krebs was the first to publish information about the breach on Sept. 25. Point of sale registers in gift shops and restaurants were compromised but not front desk operations. This mimics the recent breach at White Lodging properties. Hilton is investigating the breach that ran from April 21 through July 27, 2015.
Visa sent confidential alerts to financial institutions about a possible breach of a physical entity but did not name the breached entity. After profiling the compromised cards, it was determined that the commonality was that they were all used at retail venues inside Hilton locations including Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels and Resorts.
Hilton responded to inquiries from Krebs with the following quote: “Hilton Worldwide is strongly committed to protecting our customers’ credit card information,” the company said. “We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”
Several readers responded to the KrebsonSecurity blog about the Hilton event. One said, “We received a new card in mid-August which the bank said was tied to a suspected event. Which was odd as the card is rarely used. But it was used at a Hilton brand on July 26, which may mean mystery solved.”
Yet another confirmed that a Chase Visa card had been used at both the front desk and hotel bar at a Chicago Hilton property on June 6. “Fraudulent charges began on 8/7, and the card was shutdown the same day.”
Since it is early in the investigation Hilton has not named what properties may have been affected by the breach. Even the beginning date of the breach may not be April 2015. Several sources in the financial industry told KrebsOnSecurity that the incident might date back to November 2014, and may still be ongoing.
Jay Foley of ID Theft Info Source added his take on this latest breach. “It is clear that hackers can circumvent security measures put into place even by the most careful retailer. It is as easy as sending a text or email with malicious coding that gets into the system. Insiders could be responsible for inputting the virus. If you stayed at a Hilton Hotel in the last six months watch your account statements for any unauthorized purchases. If there is a problem immediately contact your card issuer. Since personal information such as Social Security numbers were not involved there is not a risk of identity theft.”