A Florida-based hotel chain called Rosen Hotels & Resorts (RH&R) has admitted that stealthy point-of-sale(PoS) malware successfully breached its credit card processing system – leading to fears that cybercriminals have been conducting a large-scale financial operation for well over a year.
In statement issued to hotel guests, the hotel said it was first alerted to the issue on 3 February after a number of customers reported unauthorised activity on their accounts. After hiring a security firm to investigate, RH&R eventually were notified that sophisticated malware had infiltrated its systems. Cards used at RH&R hotels between 2 September 2014 and 18 February 2016 may have been affected, the hotel has confirmed.
The malware was crafted to scrape computer systems for data read from magnetic strips of payment cards and security analysis has found that cybercriminals successfully compromised names, card numbers, expiration dates and internal verification codes associated with customer cards.
The chain has not released figures of exactly how many of its properties have been impacted by the infection however it said that customers it believes to have been targeted by the malware have started to be notified.
"We are working with the payment card networks to identify the potentially affected cards so that the banks that issued them can be made aware and initiate heightened monitoring on those accounts," RH&R said in a data breach notification posted to its website.
"For guests where the findings show that the payment card information involved included their name and for whom we have a mailing address or e-mail address, we will be mailing them a letter or sending them an e-mail. We are also supporting law enforcement's investigation."
It added: "If you used a payment card at RH&R during this time frame, we recommend that you remain vigilant for signs of unauthorised charges by closely reviewing your payment card account statements. You should immediately report any unauthorised charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorised charges reported in a timely manner."
Point-of-sale malware has hit a slew of big-name hotel brands over the past 12 months with victims including Hilton Hotels, Marriott, Hyatt Hotels and Trump Hotel Collection. In every case cybercriminals were found to be targeting customer credit cards for financial gain.
"It would be a brave man who would bet that this is the last we will see of hackers targeting the payment card processing systems of well-known hotels and retailers," warned security researcher Graham Cluley. "Rosen Hotels says that it will [be] contacting affected customers when they can ascertain the victim's email or mailing address. But chances are that there are many people who visited the hotel and made card purchases without sharing their address or email details at the same time."