Hotel owner and operator HEI Hotels & Resorts disclosed
over the weekend that malware discovered on point-of-sale systems at 20 of its
hotels may have compromised payment cards used in tens of thousands of
transactions.
The Norwalk, Conn.-based company operates hotels for
Marriott International, Starwood Hotels & Resorts, InterContentinal Hotels
Group and Hyatt Hotels Corp. According to HEI's timeline, the attacks occurred
as early as March 1, 2015, at some hotels and lasted as long as mid-June 2016.
Some hotels, such as the Sheraton Music City Hotel in
Nashville, were compromised for more than a year, while others were compromised
for a few months. HEI has posted a full list of its properties and the dates
they were affected on its website.
HEI said the malware was located on POS systems in its spas,
restaurants and gift shops. The payment card information collected included
cardholder names, account numbers, expiration dates and card verification
codes. The company has contained and removed the malware and reconfigured the
POS systems to prevent future security incidents, according to HEI.
HEI's disclosure follows that of Kimpton
Hotels & Restaurants in late July. Similar
attacks also have occurred at Hilton
Worldwide, Hyatt Hotels Corp., Omni
Hotels & Resorts, Starwood
Hotels & Resorts and Trump
Hotels.