After the Target and Niemen Marcus network breaches, retailers are now hyper-vigilant about security. But the hotel industry may need to open its eyes a little wider.
White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin, appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, according to KrebsOnSecurity.
“Earlier this month, multiple sources in the banking industry began sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year,” said Brian Krebs, a security expert who runs the blog. “But those same sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago Denver, Los Angeles, Louisville and Tampa.”
Marriott Speaks Out
As it turns out, Krebs said, the common thread among all those Marriott locations is the management company: Merrillville, Ind.-based White Lodging Services Corp. White Lodging bills itself as “a fully-integrated owner, developer and manager of premium brand hotels.” The Web site suggests its portfolio includes 168 full-service hotels in 21 states. That includes more than 30 restaurants.
“White Lodging declined to offer many details, saying in an emailed statement that “an investigation is in progress, and we will provide meaningful information as soon as it becomes available,” Krebbs said. He noted that Marriott also issued a statement explaining that one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.
“They are in the midst of the investigation and are in close contact with the banks and credit cards companies. We are working closely with the franchisee as they investigate the matter,” Marriott said. “Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide. As this impacts customers of Marriott hotels we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.”
More Breaches to Come
Krebs notes that sources say the breach appears to have affected mainly restaurants, gift shops and other establishments within hotels managed by White Lodging -- not the property management systems that run the hotel front desk computers, which handle the checking in and out of guests.
“In the case of Marriott, for example, all Marriott establishments operated as franchises must use Marriott’s property management system,” he said. “As a result, the breach impacted only those Marriott guests who used their cards at White Lodging-managed gift shops and restaurants.”
We caught up with Tommy Chin, a technical support engineer at CORE Security, to get his take on the breach. He told us Kaptoxa, a new piece of malware, has infected a large number of retail information systems, according to a report from iSightPartners.
“Their report states you may be at risk if you have a POS system in operation. I believe there will be a good number of disclosed breached coming in the near future -- not just from retailers,” Chin said. “I’m sure that all the breaches to date have not yet been discovered.”