On Nov. 24 Hilton Worldwide became the latest hotel chain to disclose it had suffered a breach leaking the credit card information of guests. The announcement came two months after KrebsOnSecurity first reported that multiple banks suspected a point-of-sale system credit card breach at Hilton Hotels across the country. The hotel breach confirmation follows similar notices from Starwood Hotels (Sheraton and Westin), Mandarin Oriental Group, Trump Hotel Collection, Hard Rock’s Las Vegas Hotel & Casino, the Las Vegas Sands casino, White Lodging Hotel Management and FireKeepers Casino and Hotel.
The affected dates for Hilton also coincide with those from other hotel groups, starting Nov. 18, 2014 and ending July 27, 2015. Hilton said the data stolen includes cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs). As a precautionary measure, the hotel group advised customers to review and monitor their payment card statements if they used a payment card at a Hilton Worldwide hotel. It appears this is a credit card fraud situation and not full identity theft.
The company did not say how many of Hilton’s 4,500 locations or brands were impacted, or whether the breach was limited to compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties — as previously reported here. However we can assume follow-up announcements will confirm that retail venues, restaurants and coffee bars and not front desk payment programs were affected.
The stolen information would allow thieves to create fake cards and make purchases online, by phone or mail order. Jay Foley of ID Theft Info Source explained why we are seeing an uptick in card theft. “Hackers have only a limited timeframe to steal and use credit card information. With the new PIN and Chip cards now being sent out, thieves will have a far harder time to use stolen information. Because the code in the card changes with each purchase hackers will find it nearly impossible to abuse the new cards.
“It also means that holiday shoppers need to be especially vigilant in monitoring account statements for unauthorized purchases during this shopping season. It might be the last season that cyber thieves can easily access and use your card information. I recommend checking account statements online at least weekly if not more frequently. I can almost guarantee we will hear about point-of-sale register breaches at major brick-and-mortar retailers.”