Starwood hotels fall prey to point of sale malware

The customers of 54 hotels now need to keep an eye on their credit as financial data has been stolen.
Written by Charlie Osborne, Contributing Writer

Starwood has admitted that a security breach taking place at 54 hotels has resulted in the theft of financial data from customers.

Last week, the hotel chain admitted that a "limited number" of hotels in the US have become infected with malware, enabling cyberattackers to access financial data belonging to customers.

In a media advisory (.PDF), the hotel chain admitted that the payment card data of clients may have been taken, as the malware was designed to "collect certain payment card information, including cardholder name, payment card number, security code and expiration date."

Point-of-sale (POS) malware is a common way for attackers to harvest credit card details used in payments and other financial transactions.

Target and Oracle are only two victims of many over the past few years which have suffered data breaches due to this particular strain of malicious code, which once installed, is able to scrape financial data before sending stolen information to criminal controllers.

This data is then used to create cloned cards, empty bank accounts or conduct identity theft.

While Starwood says that at this time there is "no evidence" to suggest contact information or PIN codes were stolen, or either guest reservation or Starwood Preferred Guest membership systems were affected by the security breach, the card information stolen is enough to cause serious issues for unlucky customers.

The malware was discovered at a number of point-of-sale points in Starwood resorts, including certain restaurants, gift shops and other systems. However, no more information concerning the type of malware or how it was found has yet been released.

In total, 54 establishments have been impacted (.PDF), including hotels in San Francisco, New Orleans, New York, Boston and Seattle. While the dates of infection vary from place to place, the POS malware remained active on some systems for months over the course of 2014 and 2015.

"Protecting our customers' information is critically important to Starwood and we take this issue extremely seriously," said Sergio Rivera, Starwood President.

"Quickly after we became aware of the possible issue, we took prompt action to determine the facts. We have been working closely with law enforcement authorities and have been coordinating our efforts with the payment card organizations. We want to assure our customers that we have implemented additional security measures to help prevent this type of crime from reoccurring."

Starwood has brought in external help to investigate how the malware was able to infect the firm's POS systems and wiped systems clean of the malware infection. The hotel chain is also offering free credit monitoring for one year -- hardly a consolation prize for those who now have to worry about their identity potentially being stolen, but it is the go-to response of many companies which experience a data breach today.

Top gadgets and accessories for hardware and data security

Read on: Top picks

Editorial standards