Fraudsters find Starwood hotel chain hospitable to breach

November 24, 2015

STAMFORD, Conn. (11/24/15)--Cybercriminals have implanted card data-gathering malware in point-of-sale systems at dozens of Starwood Hotel and Resorts locations in North America, the hotel chain recently confirmed.

The hotel chain published a list of more than 50 locations scattered throughout the United States and Canada that were affected by the breach. said that, based on that list, the breach likely started in November 2014 and ended in April or May.

The breach also likely spread to restaurants, gift shops and other point-of-sale systems that touch Starwood properties, according to Krebs.

“We have no indication at this time that our guest reservation or Starwood Preferred Guest membership systems were impacted,” said Sergio Rivera, president/CEO of Starwood, which was recently purchased by Marriott International. “The malware was designed to collect certain payment card information, including cardholder names, payment card numbers, security codes and expiration dates. There is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue.”

Meanwhile, an executive with a leading U.S. card issuer told Information Security Group recently that the massive hotel chain Hilton Hotels & Resorts has suffered an even larger breach that the company has yet to publicize.

“We’re starting to see significant fraud linking back to various Hilton properties,” the executive said. “Initially, we thought timeframe started in April 2015. But based on new fraud trends, we believe it may go back as far as November 2014.”

CUNA continues to urge lawmakers to pass legislation that would ratchet up data security standards for merchants, who do not have to meet the same very strict standards that are imposed upon financial institutions.