20 top US hotels hit by fresh malware attacks

If you've stayed at these hotels and have taken out your credit card at shops, bars, or restaurants, your financial data may be at risk.
Written by Charlie Osborne, Contributing Writer

A new swathe of US hotels has fallen prey to point-of-sale (PoS) malware which may have exposed customer financial data.

20 US hotels operated by HEI Hotel & Resorts on behalf of Starwood, Marriott, Hyatt, and Intercontinental may have leaked the financial data of customers due to malware installed at PoS terminals and systems, including at bars, restaurants, spas, and shops.

Hotel properties in cities including San Francisco, Chicago, Arlington, and Washington DC were included in the data breach. Malware was active at different stages depending on the property, but customer data was exposed between 2015 and 2016.

The full list is below:


HEI says that customer data including names, payment card account numbers, card expiration dates, and verification codes may have been captured by the malware.

However, the company insists that the firm does not store credit card numbers; rather, it is believed the malware captured this data as it was recorded in real-time at PoS terminals.

"We take this matter and the security of personal information very seriously and we will continue to review and enhance our security measures to further secure our systems," the firm said. "Please accept our sincere regret for any concern or frustration that this incident may cause."

According to Reuters, the malware was discovered in June this year. However, HEI spokesman Chris Daly told the news agency that it is difficult to calculate the number of affected customers as they may have used their cards more than once.

The breach follows similar attacks launched against Hyatt Hotels and Starwood Hotels & Resorts in recent months.

See also: This tiny $6 gadget lets you break into hotel rooms

In a statement, HEI said the breach has now been contained and the company plans to bolster its data security to lessen the risk of such cyberattacks taking place again. Law enforcement has been notified and the company is in the process of installing a new payment processing system which is separate from the main, core computer network.

Those who have stayed at these resorts will have to contact the hotel operator themselves if they believe their data is being used fraudulently due to the breach, as HEI says not enough information is stored to locate past customers.

Customers can call a free number for advice, but no free credit monitoring -- which has become something of a staple after a data breach involving customers -- is yet on offer.

The 10 step guide to using Tor to protect your privacy

Editorial standards