[BreachExchange] Nashville Hotel Suffered POS Breach for Three Years

Audrey McNeil audrey at riskbasedsecurity.com
Tue Sep 6 19:19:51 EDT 2016


http://www.databreachtoday.com/nashville-hotel-suffered-
pos-breach-for-three-years-a-9381

The string of cyberattacks striking point-of-sale systems at hotels
continues unabated, as a Nashville, Tenn.-based hotel says POS malware
compromised its customers' payment card details for more than three years.

The disclosure underscores the continuing problems facing merchants as they
attempt to keep their payment card transactions secure. Cyberattackers are
still finding low-hanging fruit and have stepped up their attacks to
include the networks of POS vendors, which make the hardware and software
used for processing card transactions (see 1,000 Businesses Hit By POS
Malware).

The latest victim is Hutton Hotel, an upscale, 247-room facility in
Nashville owned by Carey Watermark Investors. Hutton Hotel's payment
processor notified it of a possible breach.

"Findings from the investigation show that unknown individuals were able to
install a program on the payment processing system at the Hutton Hotel
designed to capture payment card data as it was routed through the system,"
according to its Sept. 2 breach notification.

POS malware targets processing points inside payment systems where card
data may be unencrypted, such as the moment when a card gets swiped, but
before it gets stored. Such attacks have proved successful despite many
retailers implementing the Payment Card Industry Data Security Standard.
Card issuers require all businesses that handle cardholder information to
comply with PCI-DSS.

Unusually Long Breach

Hutton Hotel says the breach included the names, payment card numbers,
expiration dates and the verification codes for people who paid for or
placed reservations with the hotel from Sept. 19, 2012, through April 16,
2015. Also affected are people who used onsite food and beverage outlets
from Sept. 19, 2012, through Jan. 15, 2015, and from Aug. 12, 2015, through
June 10.

While many hotels have acknowledged payment card breaches, few have had
such long exposure times as that of Hutton Hotel. It suggests that despite
a nearly non-ending stream of warnings of large-scale breaches, some hotels
are still being caught off guard.

Hutton Hotel says it has put in place new security measures and is now
using "stand-alone payment processing devices" although it didn't explain
how that helps. Law enforcement has been notified, and the hotel is working
with payment card companies to identify those affected.

"For those guests that we can identify as having used their payment card
during the at-risk window and for whom we have a mailing or email address,
we will be mailing a letter or sending an email to them," it said.

Hutton Hotel officials couldn't immediately be reached for comment.

Systemic POS Problem?

Hutton Hotel's breach shares a link with other recent breaches. It is
managed by HEI Hotels & Resorts, which said on Aug. 15 that a POS malware
strike compromised 20 hotels.

HEI also manages hotels belonging to InterContinental Hotels Group. On Aug.
31, one chain owned by InterContinental Hotels Group, Kimpton Hotels &
Restaurants, warned of a breach. Kimpton, which has 62 properties in about
30 U.S. cities, said names and payment card data may have been leaked by
POS malware over a nearly five-month period (see Kimpton Hotels Hit by Card
Breach).

The raft of hotel breaches comes as POS vendors are also being directly
attacked. Oracle warned in August that malware had been planted in a
support portal that's used for servicing and maintaining MICROS POS
systems. MICROS is one of the mostly widely used POS systems, with 330,000
customers in 180 countries (see MICROS Breach: What Happened?).

Smaller POS vendors have been hit as well, including Cin7, ECRS, NavyZebra,
PAR Technology and Uniwell. Those attacks were discovered by Alex Holden,
CISO for Hold Security, which tracks the underground trade in stolen data.

Those breaches follow a similar spate of POS malware infections at hotel
chains in recent months that have affected Hilton, Hyatt, Omni Hotels &
Resorts, Starwood Hotels and Resorts and Trump Hotels, among others.

Noble Breach Worse Than Suspected

On Aug. 24, meanwhile, Noble House Hotels and Resorts warned that one of
its properties - Ocean Key Resort & Spa in Key West, Fla. - had been
infected by POS malware from April 26 to June 8, and that anyone who used
the hotel, including its restaurant and bars, may have had their payment
card details stolen.

On Sept. 2, however, Noble released an updated breach notification warning
that 10 of its hotels or independent restaurants suffered a POS malware
breach that lasted from around April 25 up to August 5. The properties
range from the Kona Kai Resort & Spa in San Diego and the Edgewater hotel
in Seattle to the Blue Mermaid restaurant in San Francisco and the LaPlaya
Beach & Golf Resort in Naples, Fla.

Anyone who used a payment card at the affected properties during the breach
window may have had their name, card numbers, expiration numbers and CVV
numbers stolen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160906/77bcb62e/attachment.html>


More information about the BreachExchange mailing list