Intrusion duration is estimated at 7 months, since July 2014

Apr 9, 2015 16:30 GMT  ·  By

A new payment system breach is currently being investigated by hotel management company White Lodging at 10 of its properties across the United States.

The intrusion is believed to have lasted for about 7 months, from July 3, 2014, until February 6, 2015, and impacted the point-of-sales systems at restaurants and lounges present on the premises of Marriott, Renaissance, Sheraton, and Courtyard hotels.

CVVs were stored on the systems

Only the individuals that used their payment cards directly at the food and beverage outlets are affected by the incident. The cards of guests who charged from the outlets to their rooms have not been compromised, the company said on Wednesday.

On the other hand, anyone who used their card for charges at the outlets may have had the financial data compromised and are asked to review their bank account statements for suspicious activity.

An investigation following the discovery of the intrusion revealed that the data potentially exposed consisted of names, card numbers, expiration date of the card, and the security code (CVV - card verification value).

A cybercriminal in possession of this information is not hindered in any way from using it for online purchases, since CVVs were also stored on the payment systems.

It is unclear why this piece of data was present on the payment computer systems. According to the Payment Card Industry Data Storage basic guidelines, CVVs should not be stored on the systems after payment authorization completes.

Previous security measures proved inefficient

The security breach comes after another one in 2014, which triggered hardened security measures from White Lodging, by adopting technology and managed services from a third-party security firm.

“These security measures were unable to stop the current malware occurrence on point of sale systems at food and beverage outlets in 10 hotels that we manage,” said Dave Sibley, White Lodging president and CEO in an announcement disclosing the breach.

Federal law enforcement has been called in to investigate, and a third party has been contracted to conduct a forensic review.

The following list of properties is believed to have been impacted by the breach:

• Indianapolis Marriott Downtown, Indianapolis, IN • Chicago Marriott Midway Airport, Chicago, IL • Auburn Hills Marriott Pontiac at Centerpoint, Pontiac, MI • Austin Marriott South Airport, Austin, TX • Boulder Marriott, Boulder, CO • Denver Marriott South at Park Meadows, Denver, CO • Louisville Marriott Downtown, Louisville, KY • Renaissance Boulder Flatiron, Broomfield, CO • Courtyard Austin Downtown, Austin, TX • Sheraton Hotel Erie Bayfront, Erie, PA