Hilton, Starwood hotels hacked, credit card details at risk

By Chris C., November 25 2015
Hilton, Starwood hotels hacked, credit card details at risk
Disclaimer

Executive Traveller may receive a commission when you apply for these credit cards via our links.

The information provided on this page is purely factual and general in nature. You should seek independent advice and consider your own personal circumstances before applying for any financial product.

Hilton Worldwide and Starwood Hotels and Resorts are the latest companies to face cyber attacks with hackers obtaining sensitive credit card information from 54 Starwood hotels across the United States and Canada, with various Hilton hotels globally also compromised.

Among the information targeted: full credit card numbers, cardholder names, expiration dates and security/verification codes from “certain restaurants, gift shops and other point of sale systems” at Starwood and “some point-of-sale systems” at Hilton.

Hilton “immediately launched an investigation and has further strengthened its systems”, said Jim Holthouser, Hilton's EVP Global Brands, while Sergio Rivera, Starwood's President: The Americas, noted that “the malware no longer presents a threat to customers using payment cards at our hotels.”

For Starwood, the attack centred on its upscale and luxury brands with properties such as the Sheraton, Westin and W New York Times Square hotels, Westin New York Grand Central and Westin Los Angeles Airport affected, with the full list of compromised hotels and dates available from Starwood’s website.

No Starwood properties outside North America are known to have been breached by the hack attacks.

Download: List of affected Starwood properties [PDF, 198KB]

Hilton is playing its cards much closer to its chest, sharing only that “certain hotels within the Hilton Worldwide portfolio” were affected from November 18 to December 5 2014 and again between April 21 and July 27 2015, but does namecheck every one of its hotel brands as part of an FAQ on the subject.

Credit card hacks: how they happened

Guest information is believed to have been illegally targeted through the covert installation of ‘malware’ on various hotel systems, serving to harvest credit card information for a malicious third party rather than it solely being transmitted to the banks entrusted with processing each electronic payment.

The dates that each hotel’s systems were infected vary between Starwood properties, with some quickly detecting the malware and removing it the very next day while other hotels were blind to the breach and allowed it to continue for months on end.

The extent of the compromised data would potentially allow the culprit to create phoney credit cards or to purchase goods and services online, by phone or by mail without the cardholder’s knowledge.

Adoption of secure ‘chip and PIN’ payment technology in the United States significantly trails that of Australia and other countries, with Stateside merchants often swiping customers’ credit cards through their cash register system instead of a separate EFTPOS terminal.

Point-of-sale systems which rely solely on a card’s magnetic stripe are often targeted by fraudsters, as the more advanced chip and PIN terminals utilise complex encryption and verification algorithms to protect the card number, and to verify whether the card presented is the original or a duplicate.

For more information on the breach, visit the Starwood and Hilton websites.

Also read: Marriott buys Starwood in A$17 billion mega-merger

Follow Australian Business Traveller on Twitter: we're @AusBT

Disclaimer

Executive Traveller may receive a commission when you apply for these credit cards via our links.

The information provided on this page is purely factual and general in nature. You should seek independent advice and consider your own personal circumstances before applying for any financial product.

Chris C.

Chris is a a former contributor to Executive Traveller.


Hi Guest, join in the discussion on Hilton, Starwood hotels hacked, credit card details at risk