The malicious files have been planted since at least June 2012

Jun 4, 2013 07:48 GMT  ·  By

Rosewood Inn of the Anasazi in Santa Fe, New Mexico, has started notifying customers that their credit card details might have been compromised.

According to the security breach notice sent out to customers (via eSecurity Planet), cybercriminals planted malware on the hotel’s systems as early as June 18, 2012.

The malware was designed to harvest credit card data and send it back to the cybercriminals.

The malicious files were discovered after a credit card processing vendor notified Anasazi on March 21 that the hotel had been identified as a common point of purchase for credit cards involved in fraudulent transactions.

The forensic investigators called in by the hotel haven’t found any evidence that the malware actually stole any data. However, considering that the malicious elements had been present since June 2012, it’s likely that the malware wasn’t idle during all this time.

“The portion of our computer system where the malware appears to have been installed contained names and credit card information of certain patrons of Anasazi. We believe information about the cardholder whose card was used as payment for your room at Anasazi, including the name and credit card information, could have been viewed without authorization,” the notification letter reads.

“We do not collect Social Security Numbers or dates of birth of our hotel patrons; thus, no Social Security Numbers or dates of birth were compromised.”

According to the hotel’s representatives, their systems have been cleaned up and additional security measures have been added to protect the company’s networks.

The US Secret Service has been notified of the incident and Anasazi is working with law enforcement to identify and pursue the criminals.

Impacted individuals are advised to keep a close eye on their account activity and report any fraudulent transactions.

AllClear ID has been contracted to provide identity protection services for the affected customers for one year at no cost to victims.