Starwood Hotel Chain Hit By Point of Sale Malware

Starwood Hotels and Resorts, a company that owns and operates approximately 1,200 hotels across North America, announced last week that a handful of point of sale systems at its hotels were hit by malware.

Travelers who stayed at either a Westin, Sheraton, or W hotel over the last year or so are going to want to check their bank statements sooner rather than later.

Starwood Hotels and Resorts, a company that owns and operates approximately 1,200 hotels across North America, including the aforementioned brands, announced last week that a handful of point of sale systems at its hotels were hit by malware.

In a letter posted to its site late Friday, company President Sergio Rivera informed customers that restaurants, gift shops, and other POS systems at 54 of its hotels were infected with malware.

Rivera doesn’t specify which kind of POS malware was used, but states that it was designed to siphon information, including customers’ names, payment card numbers, security codes, and expiration dates.

As is often the case with breach disclosures, the letter’s a little scant with details. Rivera claims the company recently became aware of the issue, but neglects to give any semblance of a timeline around when the company discovered the problem.

A fact sheet (.PDF) that the company provided, however, can help customers deduce how long – and which hotels – were infected.

Nearly every hotel hit by the breach was either a Westin, Sheraton, or W branded hotel, save for two of Starwood’s luxury resorts, The Palace Hotel in San Francisco and The Phoenician in Scottsdale, and a resort in Miami it runs, the St. Regis Bal Harbour.

Breaches at 11 of the hotels date back to 2014, but the bulk of them began in March of this year.

The length of time each hotel was infected varies. Some hotels had malware on their systems for a month, others for four or five months. Locations such as the Sheraton at Disney World in Orlando, Fla. and a Westin in Waltham, Mass. were infected for six months. In another instance, the POS systems at the W New Orleans, a hotel Starwood runs in that city’s French Quarter district, were infected for seven months, until the company resolved the threat this time last month.

The hackers didn’t discriminate when it came to hotels it targeted. Most were U.S.-based, but a W Retreat & Spa in Vieques Island, Puerto Rico, and two separate hotels, a Sheraton and a W, based in Montreal, Canada, were also hit.

While the retail world is about two years removed from one of the largest breaches in recent history, the Target breach, POS malware has grown markedly more sophisticated. Two new strains, Cherry Picker and Abaddon, were uncovered just last week. Researchers claim both look for credit card information by reading memory processes, and are better at staying hidden than their predecessors.

 

Suggested articles

New POS Malware PinkKite Takes Flight

Researchers shed light on a newly discovered family of point of sale malware that is extremely small in size and adept at siphoning credit card numbers from POS endpoints.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.