Credit card data breach targets Marriott, Sheraton, other hotels

04/02/2014 07:39

(Reuters) - A credit card data breach has been detected that exposed guests at certain Marriott, Holiday Inn, Sheraton and other hotel properties to theft, hotel management firm White Lodging Services Corp said on Monday.

The breach occurred at food and beverage outlets at 14 hotels, including some operated under the Westin, Renaissance and Radisson names, between March 20 and December 16 last year, White Lodging said in a statement.

The company said information subject to potential theft by cyber criminals included names and numbers on consumers' debit or credit cards, security codes and card expiration dates.

Customers who used their cards at the affected outlets should review all statements from the time in question and consider placing fraud alerts on their credit files, White Lodging said.

White Lodging would not estimate how many card numbers might have been taken. Krebs on Security, the cybersecurity blog that first reported the breach on Friday, said thousands of accounts had been compromised.

The latest data breach comes after the FBI warned retailers last month to prepare for more cyber attacks after discovering about 20 hacking cases in the past year involving the same kind of malicious software used against Target Corp over the holiday shopping season.

The incident involving Target, the No. 3 U.S. retailer, was one of the biggest retail cyber attacks in history.

In a confidential, three-page report to retail companies the FBI described the risks posed by "memory-parsing" malware that infects point-of-sale (POS) systems, which include cash registers and credit-card swiping machines in checkout aisles.

Restaurants and lounges affected by the White Lodging breach were at hotels in Chicago; Austin, Texas; Richmond, Virginia; Plantation, Florida; Denver, Boulder and Broomfield, Colorado; Louisville, Kentucky; Erie, Pennsylvania; and Indianapolis and Merrillville, Indiana, the company said.

White Lodging, which manages 169 hotels that include brands of Marriott International, Starwood Hotels and Resorts and InterContinental Hotels Group, said it planned to offer affected consumers one year of identity protection services.

The company, based in Merrillville, Indiana, said it notified federal authorities of the suspected breach and had begun a review of other properties it manages.

A spokeswoman for White Lodging declined to comment beyond the company's statement.

Marriott said one of its franchise management companies had "unusual fraud patterns" with payment systems, according to a statement from spokesman Jeff Flaherty. He added that Marriott was working with the company in the probe.

"Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide," Flaherty added.

(Reporting by Karen Jacobs in Atlanta, Editing by Tom Brown and Stephen Coates)

Read more: