14 DAY TRIAL // A number of Mandarin Oriental hotels in the US and Europe were targeted by hackers to steal customer financial information relying on malware that bypassed detection of all antivirus software protecting its systems, the group says.
Mandarin Oriental has luxury hotels in the US, Europe and Asia and learned about the security breach from a third party. Immediately, an investigation into the matter was started, revealing that an intruder was able to access credit card information from payment processing systems.
Most hotels in the US may have been compromised
In an official statement, Mandarin Oriental does not state the number of locations that were compromised or the names of the hotels, but it informs that the incident does not affect its locations in Asia.
Security blogger Brian Krebs obtained details from sources in the banking industry, who say that the hack may have affected most, if not all Mandarin hotels in the US, including those in Boston, Florida, Las Vegas, Miami, New York, and Washington, D.C.
As soon as the breach was confirmed, a team of forensics experts was contracted to remove the malware from the systems.
“While the Group has leading data security systems in place, this malware is undetectable by all anti-viral systems. Guests can be confident that security protocols are being thoroughly tested at all hotels to protect guest information and prevent a recurrence of such an attack,” the statement reads.
Personal information was not exposed
From the communication of the company, one can conclude that there aren’t too many details available at the moment, and that the number of customers impacted by the incident and the duration of the breach are currently unknown.
The same sources, however, told Krebs that the intrusion may have occurred just before Christmas 2014.
Anyone who stayed at a Mandarin Oriental hotel is advised to monitor their card activity and alert the issuing financial institution if unauthorized activity is observed.
According to the current results of the investigation, it appears that only credit card information (card verification values (CVVs) not included) was exposed and that personal customer data remained untouched.
The company said that it upgraded the security of its systems but it did not want to elaborate on the measures taken. However, to reduce the risk of fraud for its customers, credit card agencies were informed about the incident.