Luxury hotel chain Hilton has revealed that some of its payment systems have been infected with malware that organised the theft of targeted customer information.
Cardholder names, payment card numbers, security codes and expiration dates were among the information targeted by the malware, which infected POS (Point of Sale) systems in hotels.
However, no addresses or personal identification numbers (PINs) were stolen, Hilton added, saying that it quickly eliminated the malware, which was uncovered by a third-party investigation authorised by the company.
Anyone who thinks they may have been affected by the breach is being offered a year’s worth of free credit monitoring.
“On behalf of Hilton Worldwide, we sincerely regret any inconvenience related to our recent announcement that we identified and eradicated unauthorised malware that targeted payment card information in some point-of-sale systems at our hotels,” Jim Holthouser, Hilton’s executive vice president of global brands, wrote in a statement.
“You have my personal assurance that we take this matter very seriously, and we immediately launched an investigation and further strengthened our systems.”
The hack is the second to affect a major hotel chain in a matter of days, after Starwood Hotels revealed it had suffered a similar breach of its payment systems.
The company said 54 North American locations were compromised by point-of-sale malware, which was designed to steal payment card information including cardholder name, card number, security code and expiration date.
The breaches shows that hospitality service providers face extraordinary challenges with customer data security at point of sale (POS), security experts have said.
“Point of sale (POS) systems – what consumers often call the checkout system – are often the weak link in the chain and the choice of malware,” said Mark Bower, HPE Security’s global director of product management, enterprise data security.
“Risks of theft from point of sale (POS) malware is totally avoidable. The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost reducing benefit to PCI compliance. Encrypting the data in the card reading terminal ahead of the POS eliminates the exposure of live information in vulnerable POS systems. No live data means no gold to steal. Attackers don’t like stealing straw.”
Are you a security pro? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…