US hotel chain Hilton Worldwide which owns 4,500 hotels around the world, has become the latest victim of a cyber attack with hackers obtaining sensitive credit card information of former guests. The company has not disclosed how many of its hotels could be affected by the hack but has asked all previous customers who used their credit cards to take precautions.
"Hilton Worldwide is strongly committed to protecting customers' payment card information, and we sincerely regret any inconvenience this may have caused customers," said a press release by the company. The chain confirmed that a malware compromised its payment systems, putting customers' data at risk.
The hackers reportedly launched their attacks between 18 November and 5 December in 2014, and between 21 April and 27 July this year. Although the malware did not expose home addresses or PIN codes of the customers, it did provide access to card numbers, security codes and names. These are largely enough for hackers to potentially make purchases mainly online.
What is the risk?
The extent of the compromised data in this case could allow the culprits to create fake credit cards or to purchase goods and services online, by phone or by mail without the cardholder's knowledge. However, people are not liable for unauthorised purchases made on their cards if they inform the authorities on time.
The breach is said to highlight a security weakness at many hotels, as hackers have time and again targeted point-of-sale (POS) devices. These rely solely on a card's magnetic stripe and are often targeted by fraudsters. The magnetic strip can easily be cloned by swiping it, and the magnetic strip data can be copied to another card and used to make fraudulent purchases.
To do away with this problem, advance chip cards have been recommended all over the world and even been made mandatory by many central banks. These cards utilise complex encryption to protect the card number and to verify whether the card presented is the original or a duplicate. These are still not mandatory in many countries including the US, and a large number of people continue to use magnetic strip cards.
News of the hack came just four days after Starwood Hotels, which operates the Sheraton and Westin chains, announced that hackers had infected payment systems in some of its establishments, potentially leaking customer credit card data. The Trump Hotel Collection and Mandarin Oriental Hotel Group have also previously warned guests about potential security breaches.