NEW YORK (MainStreet) — Large hotel management company White Lodging Services last week disclosed that its credit card point of sales systems at restaurants and bars had been under attack for many months, with personal credit card details of an unknown number of consumers stolen by hackers. The duration of the breach, according to White Lodging, is about seven months - July 3, 2014 through February 6, 2015.
According to White Lodging, “The unlawfully accessed data at risk is believed to be limited to names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates.”
With that information, a cybercriminal has plenty to make purchases from online retailers. It would also be straightforward to press out a counterfeit credit card for use at brick and mortar retailers and restaurants.
Call this war on for credit card data at hotels. They have been under attack for some years.
This is the second White Lodging breach in as many years. In February 2014, the company said 14 of its properties had suffered a similar breach, between March 20, 2013 and December 16, 2013.
White Lodging is not alone. In 2008 and 2009, Wyndham Hotels - which operates Ramada, Days Inn, Wyndham and other brands - suffered three successful attacks on its credit card systems. Over 600,000 accounts are said to have been compromised.
In 2010, hotel operator Destination suffered a breach that compromised guest data from 21 of its hotels.
There are other hotel victims, said experts. “Attacks on hotels won’t end," predicted Paul Robinson, a senior security solutions executive with Brite Computers. "There will be more.”
The reasons: hotel guests are tasty targets, hotels offer many attack vectors to criminals, and, lastly, many hotels apparently have not invested in upgraded technology to minimize damages done by attackers. “Hotels are an opportune target," said Fred Cate, a cybersecurity expert and a professor at Indiana University Maurer School of Law. "There are so many points of access.”
Multiple experts also indicated that - in many hotels - cybersecurity seems not to be a front burner concern. “There appear to be weaknesses hotels are not addressing” said Cate.
Back up: who is White Lodging? In the hotel business, it is a norm to have a namebrand on the door, but lesser known companies do the actual management. These are companies like Interstate Hotels, the nation’s biggest management company; Pyramid; and White Lodging, which usually ranks among the top five in the country. In a recent tally, White Lodging managed 161 hotels.
Hotels involved in the current breach are Indianapolis Marriott Downtown; Chicago Marriott Midway Airport; Auburn Hills Marriott Pontiac at Centerpoint, Pontiac, Mich; Austin Marriott South Airport; Boulder Marriott in Boulder, Colo.; Denver Marriott South at Park Meadows; Louisville Marriott Downtown; Renaissance Boulder Flatiron in Broomfield, Colo.; and Sheraton Hotel Erie Bayfront, in Erie, Pa.
It is difficult - bordering on impossible - for an average consumer to know what third party is managing the hotel where he is staying, because, by design, the third parties generally are supposed to be invisible.
What should you do to avoid becoming a victim? That too is not easy, said experts, because submitting a credit card is part of the check-in process at most hotels. “You cannot stay at a hotel without a valid credit card,” said T. K. Keanini, CTO at security company Lancope. He added: “Everytime I see a major breach, I expect to see an unmarked envelope in my mailbox. A new credit card is a pain. You have to change all your auto pays.” That is, cards caught up in breaches need to be replaced and that means a hassle for victims.
One piece of advice: “There is not much a consumer can do, but, personally, I would not use a debit card at a hotel. Use a credit card and you should not be held liable for any fraudulent use,” said Jeff Foresman, compliance lead at Rook Security. That’s because federal law caps liability at $50 with a credit card. Also, if your credit card number is stolen (rather than the plastic card), you have zero liability, per federal law.
Debit cards are more problematic. Says the Federal Trade Commission: “If someone makes unauthorized transactions with your debit card number, but your card is not lost, you are not liable for those transactions if you report them within 60 days of your statement being sent to you.” But if you don’t look at your statement, and throw it in a drawer, you theoretically can be held liable for every fraudulent penny.
Word of advice: after staying at any hotel, closely monitor credit card statements for several months - and if you are forever on the road, always monitor.
Nobody sees a drop in hotel credit card breaches, and that means whenever you are a guest, your card is potentially a target for criminals. That is an unpleasant thought. But it - sadly - is fact.
—Written by Robert McGarvey for MainStreet