Cyber attacks on POS systems and POS security breaches at hotels have become a regular affair now; we get to hear every now and then of hotels and hotel chains getting hacked and data getting stolen. The latest we hear is the news of a POS protection breach at Hutton Hotel in Nashville.
As per reports, the POS systems at the Nashville-based Hutton Hotel, which is an upscale hotel owned by Carey Watermark Investors (who acquired the hotel in 2013), have been attacked by POS malware and it could have caused data breach that could have been continuing for over three years.
A release by Hotel Hutton says- “After being alerted to a potential security incident by our payment processor, we began an investigation of our payment card systems and engaged a leading website security firm to assist. Findings from the investigation show that unknown individuals were able to install a program on the payment processing system at the Hutton Hotel designed to capture payment card data as it was routed through the system. The program could have affected payment card data- including cardholder name, payment card account number, card expiration date, and verification code- of guests who used a payment card to pay for or place hotel reservations during the period from September 19, 2012, and April 16, 2015, or who made purchases at the onsite food and beverage outlets from November 15, 2015 to June 10, 2016.”
As the dates suggest, the malware attack could have caused data breaches from 2012 to 2016. Such a long exposure to malware strikes and subsequent POS data breaches is rather unusual; very few hotels have had POS security breaches for such a long period of time.
The Sept. 2 breach notification also details the steps the Hotel Hutton management has taken in the wake of detecting the POS malware strike- “Hutton Hotel has implemented enhanced security measures, including the use of stand-alone payment processing devices, to prevent any further unauthorized access to payment card data. We also notified law enforcement and will continue to support their investigation. In addition, we are working closely with the payment card companies to identify potentially affected cards so that the card issuers can be made aware and initiate heightened monitoring on those accounts. For those guests that we can identify as having used their payment card during the at-risk window and for whom we have a mailing address or email address, we will be mailing a letter or sending an email to them.”
To be noted is the fact that Hutton Hotel is managed by HEI Hotels and Resorts. Over a month ago, in mid-August, 20 hotels coming under the HEI group had reportedly detected malware hits and data compromise.