Hotel Company Investigates Data Breach, Card FraudWhite Lodging, which manages 168 hotels under Hilton, Marriott, and Sheraton brand names, is investigating a suspected credit and debit card breach.
Top 10 Retail CIO Priorities For 2014
(Click image for larger view and slideshow.)
White Lodge has named 14 hotels -- as well as some hotel restaurants and lounges -- where "the suspected breach of point of sales systems" occurred, from March 20 to Dec. 16, 2013:
- Marriott Midway, Chicago, Ill.
- Holiday Inn Midway, Chicago, Ill.
- Holiday Inn Austin Northwest, Austin, Texas
- Sheraton Erie Bayfront, Erie, Pa.
- Westin Austin at the Domain, Austin, Texas
- Marriott Boulder, Boulder, Colo.
- Marriott Denver South, Denver, Colo.
- Marriott Austin South, Austin, Texas
- Marriott Indianapolis Downtown, Indianapolis, Ind.
- Marriott Richmond Downtown, Richmond, Va.
- Marriott Louisville Downtown, Louisville Ky.
- Renaissance Plantation, Plantation, Fla.
- Renaissance Broomfield Flatiron, Broomfield, Colo.
- Radisson Star Plaza, Merrillville, Ind.
It said other properties weren't affected.
White Lodging Services, a hospitality company that manages 168 hotels in 21 states -- under franchises from Hilton, Marriott, Sheraton, and Westin -- is investigating reports that it suffered a data breach that lasted from March 2013 until the end of the year.
Word of the breaches first surfaced Friday when security journalist Brian Krebs reported that unnamed card processors had tied fraud involving hundreds of credit cards to a number of Marriott properties operated by White Lodging Services, which is based in Merrillville, Ind. The affected hotels were located in Austin, Texas, Chicago, Denver, Los Angeles, Louisville, Ky., and Tampa, Fla., among other cities, reported Krebs.
White Lodging confirmed Saturday that it's investigating the reported data breach. "An investigation is in progress, and we will provide meaningful information as soon as it becomes available," White Lodge spokeswoman Kathleen Quilligan told The Times of Northwest Indiana.
White Lodge, described on the company's website as "a fully integrated hotel ownership, development, and operations company," is owned by Dean White, 90, whose hotel, real estate, and billboard business empire has given him what Forbes estimated to be a net worth of $1.9 billion. His company now manages 168 hotels under a variety of brand names, including Hilton and its Hampton Inn brand; Hyatt; Marriott and its Courtyard, Fairfield Inn, Renaissance, Residence Inn, and Springhill Suites brands; and Starwood and its Sheraton and Westin brands.
[Learn more about How To Defend Point-Of-Sale Systems.]
Spokesmen for Hilton and Starwood Hotels and Resorts Worldwide did not immediately respond to an emailed request for comment on the apparent data breach.
But Saturday, Marriott issued a statement about the "White Lodging Data Breach," which confirmed that unusual levels of fraud had been detected at the hospitality company.
"One of our franchise management companies has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels," the Marriott statement read. "They are in the midst of the investigation and are in close contact with the banks and credit cards companies."
Marriott said that it had no more details to share, at least not yet. "Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide," it said. "Since this impacts customers of Marriott properties, we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely."
A Marriott spokesman didn't immediately respond to an emailed request for comment about what the latter part of that statement meant, and if by "commitment to protect the privacy" of its customers, Marriott meant that it would compensate anyone affected by the breach.
The potential White Lodging data breach comes in the wake of recently discovered breaches at several major retailers, including Target, which suffered a breach that ran from Nov. 27 through Dec. 15, 2013, and resulted in the theft of 40 million credit cards. Likewise, Neiman Marcus recently disclosed that a breach that ran from July 16 to Oct. 30, 2013, resulted in the theft of up to 1.1 million cards. Finally, arts-and-crafts retailer Michaels Stores recently confirmed that it may have suffered a breach, but has yet to confirm whether any data was stolen.
Target and Neiman Marcus, at least, appear to have been targeted by online attackers wielding memory-scraping malware, which can intercept unencrypted card data from point-of-sale systems.
Beyond the retail hacks, as the apparent breach at White Lodging suggests, hoteliers -- given the volume of credit and debit card information they process -- have long been hacking targets too. For example, the Federal Trade Commission in 2012 filed a complaint against hospitality company Wyndham Worldwide Corporation -- which manages more than 7,000 hotels -- after it suffered three hack attacks in the space of two years, resulting in the estimated theft of more than 600,000 credit cards, leading to $10.6 million in fraudulent charges. The FTC alleged that the company failed to institute a robust information security program. Wyndham officials, however, have both denied that assessment and argued in court filings that Congress never granted the FTC "the authority to pursue such cases against American businesses." A federal judge is set to rule soon on the suit.
Meanwhile, the Senate banking committee was set to hold a hearing Monday afternoon about ways in which consumers' financial information could be better protected. The committee was set to hear testimony from the Payment Card Industry Security Standards Council, the American Bankers Association, the National Retail Foundation, a consumer rights group, and the FTC. Also due to testify was a representative of the Secret Service, which is reportedly leading the government's investigations into the data breaches at, and theft of card data from, the aforementioned retailers.
Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)
Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.
View Full Bio