Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Hotel Company Investigates Data Breach, Card Fraud

White Lodging, which manages 168 hotels under Hilton, Marriott, and Sheraton brand names, is investigating a suspected credit and debit card breach.

Top 10 Retail CIO Priorities For 2014
Top 10 Retail CIO Priorities For 2014
(Click image for larger view and slideshow.)

Update: 2/5/14
White Lodge has named 14 hotels -- as well as some hotel restaurants and lounges -- where "the suspected breach of point of sales systems" occurred, from March 20 to Dec. 16, 2013:

  • Marriott Midway, Chicago, Ill.
  • Holiday Inn Midway, Chicago, Ill.
  • Holiday Inn Austin Northwest, Austin, Texas
  • Sheraton Erie Bayfront, Erie, Pa.
  • Westin Austin at the Domain, Austin, Texas
  • Marriott Boulder, Boulder, Colo.
  • Marriott Denver South, Denver, Colo.
  • Marriott Austin South, Austin, Texas
  • Marriott Indianapolis Downtown, Indianapolis, Ind.
  • Marriott Richmond Downtown, Richmond, Va.
  • Marriott Louisville Downtown, Louisville Ky.
  • Renaissance Plantation, Plantation, Fla.
  • Renaissance Broomfield Flatiron, Broomfield, Colo.
  • Radisson Star Plaza, Merrillville, Ind.

It said other properties weren't affected.

White Lodging Services, a hospitality company that manages 168 hotels in 21 states -- under franchises from Hilton, Marriott, Sheraton, and Westin -- is investigating reports that it suffered a data breach that lasted from March 2013 until the end of the year.

Word of the breaches first surfaced Friday when security journalist Brian Krebs reported that unnamed card processors had tied fraud involving hundreds of credit cards to a number of Marriott properties operated by White Lodging Services, which is based in Merrillville, Ind. The affected hotels were located in Austin, Texas, Chicago, Denver, Los Angeles, Louisville, Ky., and Tampa, Fla., among other cities, reported Krebs.

White Lodging confirmed Saturday that it's investigating the reported data breach. "An investigation is in progress, and we will provide meaningful information as soon as it becomes available," White Lodge spokeswoman Kathleen Quilligan told The Times of Northwest Indiana.

White Lodge, described on the company's website as "a fully integrated hotel ownership, development, and operations company," is owned by Dean White, 90, whose hotel, real estate, and billboard business empire has given him what Forbes estimated to be a net worth of $1.9 billion. His company now manages 168 hotels under a variety of brand names, including Hilton and its Hampton Inn brand; Hyatt; Marriott and its Courtyard, Fairfield Inn, Renaissance, Residence Inn, and Springhill Suites brands; and Starwood and its Sheraton and Westin brands.

[Learn more about How To Defend Point-Of-Sale Systems.]

Spokesmen for Hilton and Starwood Hotels and Resorts Worldwide did not immediately respond to an emailed request for comment on the apparent data breach.

But Saturday, Marriott issued a statement about the "White Lodging Data Breach," which confirmed that unusual levels of fraud had been detected at the hospitality company.

"One of our franchise management companies has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels," the Marriott statement read. "They are in the midst of the investigation and are in close contact with the banks and credit cards companies."

Marriott said that it had no more details to share, at least not yet. "Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide," it said. "Since this impacts customers of Marriott properties, we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely."

A Marriott spokesman didn't immediately respond to an emailed request for comment about what the latter part of that statement meant, and if by "commitment to protect the privacy" of its customers, Marriott meant that it would compensate anyone affected by the breach.

White Lodging-owned JW Marriott Indianapolis. (Credit: Wikimedia Commons.
White Lodging-owned JW Marriott Indianapolis. (Credit: Wikimedia Commons.

The potential White Lodging data breach comes in the wake of recently discovered breaches at several major retailers, including Target, which suffered a breach that ran from Nov. 27 through Dec. 15, 2013, and resulted in the theft of 40 million credit cards. Likewise, Neiman Marcus recently disclosed that a breach that ran from July 16 to Oct. 30, 2013, resulted in the theft of up to 1.1 million cards. Finally, arts-and-crafts retailer Michaels Stores recently confirmed that it may have suffered a breach, but has yet to confirm whether any data was stolen.

Target and Neiman Marcus, at least, appear to have been targeted by online attackers wielding memory-scraping malware, which can intercept unencrypted card data from point-of-sale systems.

Beyond the retail hacks, as the apparent breach at White Lodging suggests, hoteliers -- given the volume of credit and debit card information they process -- have long been hacking targets too. For example, the Federal Trade Commission in 2012 filed a complaint against hospitality company Wyndham Worldwide Corporation -- which manages more than 7,000 hotels -- after it suffered three hack attacks in the space of two years, resulting in the estimated theft of more than 600,000 credit cards, leading to $10.6 million in fraudulent charges. The FTC alleged that the company failed to institute a robust information security program. Wyndham officials, however, have both denied that assessment and argued in court filings that Congress never granted the FTC "the authority to pursue such cases against American businesses." A federal judge is set to rule soon on the suit.

Meanwhile, the Senate banking committee was set to hold a hearing Monday afternoon about ways in which consumers' financial information could be better protected. The committee was set to hear testimony from the Payment Card Industry Security Standards Council, the American Bankers Association, the National Retail Foundation, a consumer rights group, and the FTC. Also due to testify was a representative of the Secret Service, which is reportedly leading the government's investigations into the data breaches at, and theft of card data from, the aforementioned retailers.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
amanda travis
amanda travis,
User Rank: Apprentice
7/5/2014 | 1:40:00 AM
Re: No perfect security
Thanks for this post. I find it very interesting. A proposed credit card hotline is the latest issue to fuel the fiery debate over the Consumer Financial Protection Bureau. The hotline would essentially take calls from concerned customers, and the agency would compile grievances about charge card companies. It pays to be very careful in choosing sources for this matter to avoid scam.
User Rank: Apprentice
5/26/2014 | 11:54:15 AM
Re: Dont think its just these properties.
Scams are everywhere. So please watch out for this bogus tricks folks! Always be wary of individuals selling stuff door to door, as a number are rip-off artists. Apart from Girl Scouts attempting to get people hooked on diabolically addicting cookies, there are a number of door-to-door scams out there.
User Rank: Apprentice
2/6/2014 | 5:06:43 PM
Dont think its just these properties.
I don't think it's solely limited to those properties.  I stayed in two of their other properties in North Austin, and one of theirs in Chandler, AZ.  American Express called to inform me that my card number was stolen and was attempted to charge items in South Africa.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
2/6/2014 | 8:18:56 AM
Re: No perfect security
Great analogy about "teaching to the test." Meeting a compliance reg is only a part of the solution. The real security goal is to ensure that everyone at all levels -- users, techies, security experts, etc. -- understand the organizations's overarching security goals, are grounded in best security practices and are kept up to date on emerging tech trends that add to security risks (like your example of  IP video surveilance cameras). Thanks for the thoughtful response!
User Rank: Strategist
2/5/2014 | 7:51:19 PM
Re: No perfect security
Being in or out of compliance is evaluated against a set of tests that are designed to provide evidence of various practices. Behing each test there a principle that the test is evaluating. You can pass the test and still be doing things that violate the principle.

Here's a brief example. I can put in video surveillance to make sure my cashiers are skimming credit numbers. That helps me protect credit card data. However, if my video recording actually sees the card numbers that the customer is handing to my cashiers, I now have a copy of that credit card on the video surveillance that may not be as secure as my point of sale units.

The intent, or principle, is about protecting card data. By focusing on one area of protection instead of looking holistically, I can unintentionally violate that principle while achieving 100% compliance on the test. Likewise, I can spend all my time locking down my network to protect our systems, but when that lockdown becomes so draconian that my staff decide to take shortcuts to make their jobs easier, security suffers.

It's like with standardized testing in schools. It's better for all society if kids learn the subject, rather than just learn enough to spit out the answers to a test.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
2/5/2014 | 2:09:26 PM
Re: No perfect security
...if companies are maintaining compliance by focusing on strong security practices that target the intent of the PCI DSS, the likelihood of a breach goes down.

Thats an interesting way to look at PCI-DSS. What do you mean by intent versus strict compliance. 
User Rank: Strategist
2/3/2014 | 12:33:04 PM
No perfect security
Even if you are indisuptably 100% compliant with the PCI Data Security Standards, you can suffer a breach. There is no such thing as perfect security. However, if companies are maintaining compliance by focusing on strong security practices that target the intent of the PCI DSS, the likelihood of a breach goes down. More importantly, being in compliance and having that be part of the corporate culture should make it easier and less costly to deal with a breach once it is discovered.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file