The hotel management firm White Lodging is the latest company to suffer a credit card data breach, exposing guests at
Hilton*, Marriott, Sheraton, and Westin hotels throughout the country to risk of theft.
According to cyber security expert Brian Krebs — who first broke the story of Target's massive data breach, and retailer Neiman Marcus's less massive one — thousands of hotel patrons could have been exposed to the breach in 2013. He explains in a blog post:
Earlier this month, multiple sources in the banking industry began sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year. But those same sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago Denver, Los Angeles, Louisville and Tampa. Turns out, the common thread among all of those Marriott locations is that they are managed by Merrillville, Indiana-based White Lodging Services Corporation.
The firm manages 168 hotels across 21 states. According to Krebs, White Lodging hasn't issued much of a response to the report, saying only that an investigation is underway. Marriott, however, has responded with a more extensive statement on one of its franchisees which the company states has seen "unusual fraud patterns":
They are in the midst of the investigation and are in close contact with the banks and credit cards companies. We are working closely with the franchisee as they investigate the matter. Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide.
Krebs says that his sources report the fraud largely affected gift shops, restaurants and other properties within hotels, but not the hotel management systems themselves. According to The New York Times, the Secret Service could not comment on whether they were looking into the hotel system breach.
The Target data breach is turning out to be one of the largest in American retail history, and could point to a more general failing on the part of credit card security, which would explain why retailers are not the only ones suffering from security breaches. The problem goes much deeper than stores or your wallet.
*Update: According to a representative, Hilton Worldwide was not affected by the breach. The company said in a statement:
Hilton Worldwide is strongly committed to the protection and privacy of our guests’ personal information. White Lodging, which franchises hotels for several brands including some within Hilton Worldwide’s portfolio, is investigating potential fraud on their IT systems that process credit card transactions. White Lodging has advised us that none of their hotels franchised with a Hilton Worldwide brand have been affected, since these hotels are connected to different IT systems. Additionally, Hilton Worldwide is investigating the matter, and our findings have also indicated that none of these hotels have been affected.
This article was originally published at http://www.thewire.com/technology/2014/02/white-lodging-credit-card-hack/357650/