Hotels in 10 states, DC may have been hit by hackers


Associated Press

NEW YORK

An undisclosed number of people who used credit cards at 20 Hyatt, Sheraton, Marriott, Westin and other hotels in 10 states and the District of Columbia may have had their cards compromised as a result of a hack of the hotels’ payment system.

HEI Hotels & Resorts, which operates just under 60 hotels and resorts under a variety of brands, said that after being notified by its credit card processor of a potential breach, it conducted an internal investigation that found malware on its payment-processing systems at the 20 properties. The malware was designed to capture debit- and credit-card information such as names, card account numbers, card expiration dates and verification codes, as it flowed through the systems.

According to the Norwalk, Conn., company, the hack potentially affected cards used at point-of-sale terminals, such as those at the hotels’ restaurants and stores, between December 2015 and June 2016. Systems at a few of the affected locations were found to have been infected with the malware as early as March 2015.

Among the hotel chains, Hilton Worldwide, Trump Hotel Collection and Starwood Hotels & Resorts have all confirmed POS system breaches within the past year or so. More recently, fast-food chains Wendy’s and Cici’s Pizza acknowledged breaches of their systems in the past few months.

Yet the black market value of credit-card numbers has tumbled, largely as a result of better fraud prevention technology that allows banks to spot and stop bad transactions faster. As a result, many thieves have moved on to target more lucrative information such as health care data.

HEI said in its notice to consumers that once it found out about the breach of its systems, it transitioned payment card processing to a stand-alone system that’s completely separate from the rest of its network. It disabled the malware and is in the process of reconfiguring various components of its network and payment systems to make them more secure.

The company said in its statement that it’s continuing to cooperate with the law-enforcement investigation and coordinating with banks and payment card companies. It added that the breach has been contained and customers can safely use cards at all of its properties. HEI officials didn’t return a call seeking additional comment.