PINDROP BLOG

Breach at Hotel Operator HEI Targeted Payment Card System

Customers of 20 hotels from a variety of operators are being warned about a compromise of payment card systems at HEI Hotels and Resorts that resulted in the theft of a wide range of card data.

The attack on HEI, which owns and operates hotels from a number of chains, including Marriott, Westin, Sheraton, and others, apparently targeted point-of-sale systems and involved malware that could grab card data in real time. The company said it has disabled the malware and has moved its payment processing to a separate network as part of the remediation process.

“We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network.  In addition, we have disabled the malware and are in the process of re configuring various components of our network and payment systems to enhance the security of these systems,” HEI said in a notice to customers.

“We have disabled the malware and are in the process of re configuring various components of our network”

“We have contacted law enforcement and will continue to cooperate with their investigation. We are also coordinating with the banks and payment card companies. While we are continuing to review and enhance our security measures, the incident has now been contained and customers can safely use payment cards at all HEI properties.”

The time frame of the breach varies by property, but runs from the beginning of March 2015 through the middle of June 2016.

Payment card systems have become a key target for attackers. Malware specifically designed to compromise PoS systems is more and more common these days and has been used in many large data breaches, including the Target and Home Depot attacks. Typically, that kind of malware is able to capture card data as it is entered and before it is encrypted, which appears to be the case in the HEI breach. The company said that it does not store card data and the attackers were able to steal that information during the transactions.