Hilton Worldwide has confirmed that malware found its way onto point-of-sale systems and stole payment card information.
Exposed data includes cardholder names, payment card numbers, security codes and expiry dates. Addresses and PINs were not exposed, Hilton concluded, after an investigation that brought in third-party forensics experts, law enforcement and payment card companies.
Hilton omits to say how many or which hotel locations may have been affected by the breach, but is telling customers to review their payment card statements – particularly if they used their cards at a Hilton Worldwide hotel between specified dates (8 November – 5 December 2014 or 21 April – 27 July 2015). The hotel chain is also keeping quiet about the number of people or credit card records exposed at a result of the breach.
In its statement, Hilton sought to assure guests that the malware had been purged and the security of its systems strengthened in the wake of the attack.
Hilton Worldwide has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems. Hilton immediately launched an investigation and has further strengthened its systems.
Confirmation of the breach on Tuesday doesn’t come as a surprise since it comes weeks after reportsin September that the hotel chain had suffered a hack attack. Again the number of records exposed was left unclear.
Ryan Wilk, director at fraud prevention firm NuData Security, commented: “This credit card breach announcement is just one of a spate of similar hacks that have occurred over the last year or so targeting hotels.
“While we can’t know for sure what [the] hackers’ long-term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits in order to maximise their efforts before moving on to the next industry. Once they get the card numbers, hackers then sell them on the dark web, use them directly in credit card cycling scams, or tie them to other data leaks to create full personas ripe for identity theft or fraudulent account creation,” he added.
Kevin Watson, chief exec at Netsurion, a provider of remotely managed security for multi-location businesses, added: “It’s especially important during the holiday season for merchants, retailers, hotels and hospitality businesses that process payment data to understand that they are lucrative targets. Therefore, it’s essential to take the necessary steps to protect customer data and ensure that stronger security measures are in place for their networks, payment systems and on-premise Wi-Fi services. Making those areas a priority now will allow them to focus on the core business,” he added.