14 DAY TRIAL // Several financial institutions have identified fraudulent activity on cards used at multiple JW Marriott hotels managed by franchise firm White Lodging.
Customers of the hotels administered by White Lodging were targeted at the beginning of 2014 by hackers, who planted malware on cash registers of food and beverage locations.
Locations affected have been hit before
It appears that the current fraud occurred on cards that had been used in many of the locations affected by last year’s incident. These included hotels in Austin (Texas), Bedford Park (Illinois), Denver (Indianapolis), and Louisville (Kentucky).
An investigation has been initiated to determine the validity of the allegations, but according to security blogger Brian Krebs, White Lodging has yet to uncover any trails of malicious activity.
If there is indeed a new card breach incident, JW Marriott cannot confirm it because it does not control the payment systems that have allegedly been infected.
Kathleen Sebastian, White Lodging spokesperson, told Krebs that a security company had been contracted to perform a full forensics audit on the systems. “To this date, we have found no identifiable infection that would lead us to believe a breach has occurred. Our investigation is ongoing,” Sebastian said.
She also informed that last year’s incident was an important security lesson that led to the company’s decision to harden the protection of the systems processing card information.
Stronger security has been adopted
Among the steps taken is the installation of a firewall under the management of a third party and enabling the two-factor authentication (2FA) feature for logging into critical systems.
Additional measures include adopting the tokenization technology on cash registers, which would ensure that the card data waiting to be processed is substituted with a token that cannot be reversed unless a dedicated system is used.
According to Sebastian, front-desk systems at Marriott locations managed by White Lodging were relying on tokenization, while payment terminals in other parts of the hotel were on the way of adopting the new security measure, scheduled to complete by the end of the second quarter of the year.
What tokenization does is transform sensitive information into a non-sensitive equivalent that can be passed through the network to its destination, where it is de-tokenized and converted into original input for verification purposes.
One weak spot for this would be the protection of the tokenization system, which needs to be logically isolated from the network and segmented from the applications and systems storing the data and processing it.