14 DAY TRIAL // Omni Hotels & Resorts announced last Friday that they had found malware on the point-of-sale (PoS) systems used at some of their properties across the US.
The hotel chain claims to have discovered this threat on May 30, 2016, and to have quickly contacted a security firm to help them investigate the incident.
The investigation revealed that the malware operated between December 23, 2015, and June 14, 2016.
In a statement on its website, Omni did not disclose which properties were affected but asked customers to verify their credit or debit card history to see if they made any purchases in the aforementioned timeline.
Credit card details exposed, but not customer personal records
As is the case with most PoS malware infections, data such as the credit card number, card holder name, the card expiration date, and the security code printed on the back was compromised.
Omni says that details such as the PIN, the user's Social Security number, home address, or other personal information were not exposed in any way.
Users who utilized their cards to make reservations were not affected. Only customers physically present at the hotels or resorts and who presented the card for PoS transactions might have been affected.
"Even if you used your payment card at one of the properties involved, it does not mean you will be affected by this issue," Omni writes in its breach notice. "If you believe your payment card may have been affected, please contact your bank or card issuer immediately. We also are offering one year of free identity theft protection and repair to all affected guests to provide an added safeguard."
NOINDEX and should it be an illegal practice?
Veteran reporter Mike Lennon also noticed that Omni tried to bury its breach announcement in a late Friday afternoon release, probably to avoid mid-week media coverage, but it also used special "NOINDEX" meta tags in the source code of the breach notice Web page. The other pages on the Omni website did not feature this tag, but only the breach notice page.
This latter detail is extremely worrying practice from a renowned hotel chain like Omni, meaning that victims wanting to find out details about the card breach won't be able to reach the page using Google, Bing, or Yahoo's search engines.
Of course, the page is still available and linked from news agencies that cover the topic, but that is not the proper way to treat your customers.