Hotels from Vermont to California have been victimized in a data breach that may have leaked payment data from tens of thousands of point of sale purchases.

Customers who frequented 20 hotels run by HEI Hotels and Resorts, a hospitality owner that counts hotel chains like Marriott, Sheraton, and Westin, among its brand names, may be affected, the company said this weekend in a notice about the breach.

Customers at six Westin hotels, and three Marriott hotels, two Le Meridien hotels, along with an Intercontinental, Renaissance, and Hyatt hotel, to name a few, may be affected by the breach.

Officials at the hotel operator said malware designed to siphon customer payment card data, including names, card numbers, card expiration dates, and verification codes, led to the breach. HEI says it was alerted of the incident, in which malicious software was installed on its payment processing systems, by its card processor.

The hotel operator didn’t get too deep into details around the breach, but judging by a chart provided to hotel property owners it appears that in some instances the malware was able to persist for months.


According to the chart the earliest the malware was on systems was back in March 2015; the latest was June 2016.

The Sheraton Music City Hotel in Nashville, Tenn. was hit the longest-for more than a year, from March 2015 to June 2016, according to the spreadsheet. The Westin in Pasadena, Calif. was also infected for more than a year, from March 2015 to May 2016.

Officials from HEI did not immediately return a request for comment on Monday but wrote in a press release that the hotel chain was able to disable the malware and that it’s taking steps to remediate the issue. The operator claims its in the midst of transitioning payment card processing to a stand-alone system that is separated from the rest of its network and is reconfiguring components of that network and payment systems to “enhance the security of the systems.”

It’s unclear exactly how many victims may be affected by the breach, but according to Reuters, citing a conversation with Chris Daly, a spokesman for HEI, it could be hundreds of thousands of transactions.

Daly said 8,000 transactions were made during the affected period at Hyatt Centric in Santa Barbara, Calif. and 12,800 at the IHG Intercontinental in Tampa, Fla.

Travelers who stay at large hotel chains would be well served to regularly check their bank statements. Restaurants, gift shops, spas, and other POS systems at hotels remain perennial targets for attackers looking steal consumer data. For example, 54 different Sheraton, W, and Westin hotels, chains owned by Starwood Hotels and Resorts, were hit by POS malware last fall. Just two months prior to Starwood’s announcement, Hilton Worldwide said that it was looking into a point of sale compromise that may have spanned back to November 2014.

Kimpton Hotels & Restaurants, a chain of 62 boutique hotels, announced earlier this summer that there had been a string of bogus charges on payment cards used at its locations, but failed to provide details around what may have led to the breach.

Categories: Malware, Privacy