Mandarin Oriental eradicates malware from credit card systems

After admitting to a security breach, the luxury hotel chain has managed to remove malware discovered on systems related to customer financial data.

Update: 13.27 GMT: Added Mandarian Oriental comments.

Mandarin Oriental has managed to eradicate malware which is believed to be responsible for a credit card security breach.


The luxury hotelier said in a statement Thursday that the company has removed malware which allowed remote attackers to access credit card systems present in hotels across the US and Europe. No hotels owned by the company in Asia suffered the same security breach.

The names of specific hotels and locations impacted have not been disclosed.

Mandarin Oriental is working with credit card agencies, law enforcement and forensics experts to improve security across the board and hopefully prevent a reoccurrence. Security protocols are being tested in each hotel location, but specific measures were not revealed by the company.

A cause for concern, however, is that Mandarin Oriental states the malware which affected "an isolated number of hotels" is "undetectable by all anti-viral systems."

The hotel group is vague when it comes to details concerning what data may have been stolen. Mandarin Oriental said:

"From the information we have to date, the breach has only affected credit card data and not any other personal guest data, and credit card security codes have not been compromised."

A Mandarin Oriental spokeswoman told ZDNet that the "credit card security codes' mentioned relates to the three-digit CSV security codes found on the back of credit cards.

According to security journalist Brian Krebs, financial industry sources and fraudulent transactions on cards recently used at the hotel chain alerted the corporation to a possible security breach. It is likely that Mandarin Oriental's point-of-sale (PoS) systems were infected with the malware, which could have accessed systems without authorization and stolen credit card data.

If customers believe their credit cards may have been compromised, the company only said they "recommend you contact your credit card provider directly."

The retail industry is a tempting target for cybercriminals looking to cash-in on stolen financial data. In recent times, US retailer Target suffered one of the most well-known security breaches through its point of sale systems. In total, the breach at U.S. retailer Target -- taking place in November 2013 -- resulted in the theft of at least 40 million customer records containing financial data, in addition to approximately 70 million records with sensitive personal information including customer addresses.

Speaking to ZDNet, iboss Network Security Founder and CEO Paul Martini commented:

"With news of yet another major data breach, we are reminded again that many cybersecurity systems are not sufficient to prevent the leak of sensitive customer information. Incidents of this nature are becoming increasingly common and many important computer systems are vulnerable to modern, sophisticated threats aimed at stealing data. Organizations must invest in post- infection software that can quickly identify these security breakdowns to prevent valuable information from being stolen."

Mandarin Oriental operates and has 44 hotels under development in 24 countries, including 20 hotels in Asia, 10 in the United States and 14 in Europe, Middle East and North Africa.

Read on: In the world of security