In a statement released yesterday, Hilton Hotels confirmed it had been hit by a malware data breach that stole customer payment data at the checkout, becoming the latest hotel chain to be hacked in an horrendous run of online assaults hitting the hospitality sector recently.
The statement reads:
Hilton Worldwide has identified and taken action to eradicate unauthorized malware that targeted
payment card information in some point-of-sale systems. Hilton immediately launched an investigation and has further strengthened its systems.
Hilton Worldwide worked closely with third-party forensics experts, law enforcement and payment card companies on this investigation, and determined that specific payment card information was targeted by this malware. This information includes cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs).
As a precautionary measure, customers may wish to review and monitor their payment card statements if they used a payment card at a Hilton Worldwide hotel over a seventeen-week period, from November 18 to December 5, 2014 or April 21 to July 27, 2015.
Customers generally are not responsible for fraudulent activity on their payment cards, and should contact their financial institution directly if they notice any irregularities. They can also visit hiltonworldwide.com/guestupdate for more details, including how to receive one year of complimentary credit monitoring.
Hilton Worldwide is strongly committed to protecting customers’ payment card information, and we sincerely regret any inconvenience this may have caused customers.
“While we can’t know for sure what hackers long-term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits in order to maximise their efforts before moving on to the next industry,” says Ryan Wilk, director at NuData Security.
Once they get the card numbers, hackers then sell them on the Dark Web, use them directly in credit card cycling scams, or tie them to other data leaks to create full personas ripe for identity theft or fraudulent account creation, likely contributing to the overall increase in account takeovers we’ve seen, over 100% increase since February 2015.”