Data Breach , Fraud , Payments Fraud

Hilton Hotels: We Were Breached

Hilton Confirms Payment Card Data Was Stolen
Hilton Hotels: We Were Breached

Reversing recent claims that it was unaware of any data breaches, hotel chain Hilton Worldwide now acknowledges that it suffered a breach that affected an unspecified number of hotels, customers and payment cards in 2014 and 2015.

See Also: 2016 Enterprise Security Study - the Results

The breach stemmed from "unauthorized malware that targeted payment card information in some point-of-sale systems," McLean, Va.-based Hilton says in a Nov. 24 press release. The company adds that the POS malware successfully stole cardholders' names, plus payment card numbers, security codes and expiration dates, but that no addresses or personal identification numbers for cards were stolen.

The statement comes less than one week after a Hilton spokesman told Information Security Media Group that the company was not aware of any network intrusion or resulting fraud incidents that suggested that it had been breached (see Banks: Starwood Breach Not Isolated). Now, however, the company says it has just concluded a breach investigation stemming from multiple malware infections, the last of which ended in July.

Security blogger Brian Krebs on Sept. 25 was the first to report of a possible breach at Hilton, which he said was based on multiple banks seeing card fraud at restaurant and gift-shop POS systems in numerous Hilton Worldwide locations.

Meanwhile, multiple sources reported to ISMG that they were seeing fraud incidents that pointed directly to Hilton.

"We're starting to see significant fraud linking back to various Hilton properties," said one executive with a leading U.S. issuer on the West Coast, who asked not to be identified. "Initially, we thought the timeframe started in April 2015. But based on new fraud trends, we believe it may go back as far as November 2014."

When asked if the fraud patterns could be linked to a different hotel chain, rather than Hilton, this executive said no. "We are confident Hilton was also comprised."

Nearly two months after reports first surfaced, Hilton has now confirmed being breached. "On behalf of Hilton Worldwide, we sincerely regret any inconvenience related to our recent announcement that we identified and eradicated unauthorized malware that targeted payment card information in some point-of-sale systems at our hotels," Jim Holthouser, Hilton's executive vice president of global brands, says in a Nov. 24 "Message to Our Valued Customers."

Hilton's breach notification follows Starwood Hotels and Resorts recently confirming that it had suffered a similar breach tied to its restaurants, gift shops and other POS systems at multiple properties across North America. "Hilton is just the latest in a growing list of hotels and resorts that have recently found their systems compromised by malware - other victims have included Hard Rock's Las Vegas Hotel & Casino, the Las Vegas Sands casino, Trump Hotels, Mandarin Oriental and FireKeepers Casino and Hotel," says security expert Graham Cluley in a blog post (see Trump Hotels Confirms POS Malware Breach).

Hilton: Two Breach Periods

Hilton says that based on an investigation that was conducted by unnamed third-party digital forensics investigation firms, U.S. law enforcement agencies and payment card issuers, it believes that the POS malware that infected its systems intercepted and transmitted to attackers data during two periods: in 2014 from November 18 to December 5, and this year from April 21 to July 27.

Hilton owns and franchises a number of brands, all of which it says were affected by the breach, including:

  • Canopy by Hilton;
  • Conrad Hotels & Resorts;
  • Curio - A Collection by Hilton;
  • DoubleTree by Hilton;
  • Embassy Suites by Hilton;
  • Hampton by Hilton;
  • Hilton Garden Inn;
  • Hilton Grand Vacations;
  • Hilton Hotels & Resorts;
  • Home2 Suites by Hilton ;
  • Homewood Suites by Hilton;
  • Waldorf Astoria Hotels & Resorts.

Hilton recommends that anyone who stayed at any of those hotels during those two POS-malware infection periods - and used a credit or debit card to pay for anything - now indefinitely "review and monitor their payment card statements." Via a Hilton data breach FAQ, the company says it will begin offering one year of "complimentary credit monitoring" on Nov. 25 to anyone who paid with a card at its properties during those periods. "Additionally, you may consider placing a fraud alert on your credit reports to help mitigate potential issues," it says. "To do this, you will need to contact one of the three U.S. credit reporting agencies or AllClear's International Service line."

Victim Count: Unknown

Hilton says it detected the malware infections via its "information security systems and processes," and that it has "further strengthened its systems" following the incidents. But the company's breach notification makes no mention of how many customers might have been affected, how many payment cards were compromised, when it detected the breach or what specific information security technology and process improvements it made in response. Likewise, it's not clear if the breach relates to all of its POS systems, or just those used in hotels' restaurant, retail or check-in environments.

While Hilton has yet to release more in-depth technical details about the breach, according to Charles Henderson, vice president of managed security testing at information security firm Trustwave, too many retailers and hoteliers fail to practice basic information security hygiene. He says all organizations should ensure they have changed the default passwords on POS devices as well as segmented their networks to better block malware infections and related data exfiltration (see Why POS Malware Still Works).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network