The data compromised may have included payment card data, including name, payment card account number, card expiration date, and verification code, it said. The malware has been active at some hotels since March 2015.
Advertisement
It affected Hyatt, Sheraton, Marriott and Westin hotels at PoS terminals which are used at retail and food and beverage outlets located in the hotels. The company said the malware has been removed and it is safe for customers to use credit cards at the properties. A list of hotels provided by HEI shows some properties were impacted by the malware as early as March of past year.
Properties that have been affected by this data breach are spread across its Hyatt, Marriott, Starwood and Intercontinental chains. HEI said that guests who didn’t make PoS purchases during their stays at affected properties were not at risk of having their payment data stolen during the incident.
According to a notice on its site, HEI discovered the breach after receiving an alert from its card processor. However, it’s hard to accurately calculate how many individuals or cards may be affected, he said, as multiple transactions may have legitimately been carried out on a single card. Typically, that kind of malware is able to capture card data as it is entered and before it is encrypted, which appears to be the case in the HEI breach. Law enforcement has been notified and the company is in the process of installing a new payment processing system which is separate from the main, core computer network.
HEI apologized to customers for any concerns or frustrations caused by this incident.
The breach was discovered in mid-June, but the malware was active in the system from March 1, 2015 to June 21, 2016, with 14 of the hotels affected after December 2, 2015, HEI said in a statement.
Advertisement
It’s hard to pinpoint how many people were affected, but Chris Daly, a spokesperson for HEI, says it could be in the tens of thousands.
