Attacks/Breaches
2/5/2014
11:47 AM
Connect Directly
RSS
E-Mail
50%
50%

Hotel Company Investigates Data Breach, Card Fraud

White Lodging, which manages 168 hotels under Hilton, Marriott, and Sheraton brand names, is investigating a suspected credit and debit card breach.

Top 10 Retail CIO Priorities For 2014
Top 10 Retail CIO Priorities For 2014
(Click image for larger view and slideshow.)

Update: 2/5/14
White Lodge has named 14 hotels -- as well as some hotel restaurants and lounges -- where "the suspected breach of point of sales systems" occurred, from March 20 to Dec. 16, 2013:

  • Marriott Midway, Chicago, Ill.
  • Holiday Inn Midway, Chicago, Ill.
  • Holiday Inn Austin Northwest, Austin, Texas
  • Sheraton Erie Bayfront, Erie, Pa.
  • Westin Austin at the Domain, Austin, Texas
  • Marriott Boulder, Boulder, Colo.
  • Marriott Denver South, Denver, Colo.
  • Marriott Austin South, Austin, Texas
  • Marriott Indianapolis Downtown, Indianapolis, Ind.
  • Marriott Richmond Downtown, Richmond, Va.
  • Marriott Louisville Downtown, Louisville Ky.
  • Renaissance Plantation, Plantation, Fla.
  • Renaissance Broomfield Flatiron, Broomfield, Colo.
  • Radisson Star Plaza, Merrillville, Ind.

It said other properties weren't affected.

White Lodging Services, a hospitality company that manages 168 hotels in 21 states -- under franchises from Hilton, Marriott, Sheraton, and Westin -- is investigating reports that it suffered a data breach that lasted from March 2013 until the end of the year.

Word of the breaches first surfaced Friday when security journalist Brian Krebs reported that unnamed card processors had tied fraud involving hundreds of credit cards to a number of Marriott properties operated by White Lodging Services, which is based in Merrillville, Ind. The affected hotels were located in Austin, Texas, Chicago, Denver, Los Angeles, Louisville, Ky., and Tampa, Fla., among other cities, reported Krebs.

White Lodging confirmed Saturday that it's investigating the reported data breach. "An investigation is in progress, and we will provide meaningful information as soon as it becomes available," White Lodge spokeswoman Kathleen Quilligan told The Times of Northwest Indiana.

White Lodge, described on the company's website as "a fully integrated hotel ownership, development, and operations company," is owned by Dean White, 90, whose hotel, real estate, and billboard business empire has given him what Forbes estimated to be a net worth of $1.9 billion. His company now manages 168 hotels under a variety of brand names, including Hilton and its Hampton Inn brand; Hyatt; Marriott and its Courtyard, Fairfield Inn, Renaissance, Residence Inn, and Springhill Suites brands; and Starwood and its Sheraton and Westin brands.

[Learn more about How To Defend Point-Of-Sale Systems.]

Spokesmen for Hilton and Starwood Hotels and Resorts Worldwide did not immediately respond to an emailed request for comment on the apparent data breach.

But Saturday, Marriott issued a statement about the "White Lodging Data Breach," which confirmed that unusual levels of fraud had been detected at the hospitality company.

"One of our franchise management companies has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels," the Marriott statement read. "They are in the midst of the investigation and are in close contact with the banks and credit cards companies."

Marriott said that it had no more details to share, at least not yet. "Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide," it said. "Since this impacts customers of Marriott properties, we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely."

A Marriott spokesman didn't immediately respond to an emailed request for comment about what the latter part of that statement meant, and if by "commitment to protect the privacy" of its customers, Marriott meant that it would compensate anyone affected by the breach.

White Lodging-owned JW Marriott Indianapolis. (Credit: Wikimedia Commons.
White Lodging-owned JW Marriott Indianapolis. (Credit: Wikimedia Commons.

The potential White Lodging data breach comes in the wake of recently discovered breaches at several major retailers, including Target, which suffered a breach that ran from Nov. 27 through Dec. 15, 2013, and resulted in the theft of 40 million credit cards. Likewise, Neiman Marcus recently disclosed that a breach that ran from July 16 to Oct. 30, 2013, resulted in the theft of up to 1.1 million cards. Finally, arts-and-crafts retailer Michaels Stores recently confirmed that it may have suffered a breach, but has yet to confirm whether any data was stolen.

Target and Neiman Marcus, at least, appear to have been targeted by online attackers wielding memory-scraping malware, which can intercept unencrypted card data from point-of-sale systems.

Beyond the retail hacks, as the apparent breach at White Lodging suggests, hoteliers -- given the volume of credit and debit card information they process -- have long been hacking targets too. For example, the Federal Trade Commission in 2012 filed a complaint against hospitality company Wyndham Worldwide Corporation -- which manages more than 7,000 hotels -- after it suffered three hack attacks in the space of two years, resulting in the estimated theft of more than 600,000 credit cards, leading to $10.6 million in fraudulent charges. The FTC alleged that the company failed to institute a robust information security program. Wyndham officials, however, have both denied that assessment and argued in court filings that Congress never granted the FTC "the authority to pursue such cases against American businesses." A federal judge is set to rule soon on the suit.

Meanwhile, the Senate banking committee was set to hold a hearing Monday afternoon about ways in which consumers' financial information could be better protected. The committee was set to hear testimony from the Payment Card Industry Security Standards Council, the American Bankers Association, the National Retail Foundation, a consumer rights group, and the FTC. Also due to testify was a representative of the Secret Service, which is reportedly leading the government's investigations into the data breaches at, and theft of card data from, the aforementioned retailers.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
jagibbons
100%
0%
jagibbons,
User Rank: Strategist
2/3/2014 | 12:33:04 PM
No perfect security
Even if you are indisuptably 100% compliant with the PCI Data Security Standards, you can suffer a breach. There is no such thing as perfect security. However, if companies are maintaining compliance by focusing on strong security practices that target the intent of the PCI DSS, the likelihood of a breach goes down. More importantly, being in compliance and having that be part of the corporate culture should make it easier and less costly to deal with a breach once it is discovered.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/5/2014 | 2:09:26 PM
Re: No perfect security
...if companies are maintaining compliance by focusing on strong security practices that target the intent of the PCI DSS, the likelihood of a breach goes down.

Thats an interesting way to look at PCI-DSS. What do you mean by intent versus strict compliance. 
jagibbons
50%
50%
jagibbons,
User Rank: Strategist
2/5/2014 | 7:51:19 PM
Re: No perfect security
Being in or out of compliance is evaluated against a set of tests that are designed to provide evidence of various practices. Behing each test there a principle that the test is evaluating. You can pass the test and still be doing things that violate the principle.

Here's a brief example. I can put in video surveillance to make sure my cashiers are skimming credit numbers. That helps me protect credit card data. However, if my video recording actually sees the card numbers that the customer is handing to my cashiers, I now have a copy of that credit card on the video surveillance that may not be as secure as my point of sale units.

The intent, or principle, is about protecting card data. By focusing on one area of protection instead of looking holistically, I can unintentionally violate that principle while achieving 100% compliance on the test. Likewise, I can spend all my time locking down my network to protect our systems, but when that lockdown becomes so draconian that my staff decide to take shortcuts to make their jobs easier, security suffers.

It's like with standardized testing in schools. It's better for all society if kids learn the subject, rather than just learn enough to spit out the answers to a test.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/6/2014 | 8:18:56 AM
Re: No perfect security
Great analogy about "teaching to the test." Meeting a compliance reg is only a part of the solution. The real security goal is to ensure that everyone at all levels -- users, techies, security experts, etc. -- understand the organizations's overarching security goals, are grounded in best security practices and are kept up to date on emerging tech trends that add to security risks (like your example of  IP video surveilance cameras). Thanks for the thoughtful response!
AaronP916
100%
0%
AaronP916,
User Rank: Apprentice
2/6/2014 | 5:06:43 PM
Dont think its just these properties.
I don't think it's solely limited to those properties.  I stayed in two of their other properties in North Austin, and one of theirs in Chandler, AZ.  American Express called to inform me that my card number was stolen and was attempted to charge items in South Africa.
catvalencia
50%
50%
catvalencia,
User Rank: Apprentice
5/26/2014 | 11:54:15 AM
Re: Dont think its just these properties.
Scams are everywhere. So please watch out for this bogus tricks folks! Always be wary of individuals selling stuff door to door, as a number are rip-off artists. Apart from Girl Scouts attempting to get people hooked on diabolically addicting cookies, there are a number of door-to-door scams out there.
amanda travis
50%
50%
amanda travis,
User Rank: Apprentice
7/5/2014 | 1:40:00 AM
Re: No perfect security
Thanks for this post. I find it very interesting. A proposed credit card hotline is the latest issue to fuel the fiery debate over the Consumer Financial Protection Bureau. The hotline would essentially take calls from concerned customers, and the agency would compile grievances about charge card companies. It pays to be very careful in choosing sources for this matter to avoid scam.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.