Tens-of-thousands of card details put at risk in hotel hack

Customers at 20 US hotels may have had their credit card details exposed to hackers after malware was discovered on the properties' point-of-sale (POS) systems.

The hotels are run by a hotel management business, HEI Hotels and Resorts, but operate under big-name brands like Marriott, Hyatt and InterContinental Hotels Group (IHG).

According to a statement from HEI, those at risk would have used their credit or debit cards to pay for services at the hotel properties, such as purchasing food or drink. The organisation has not stated whether or not POS transactions for accommodation have been affected.

Data stolen could include customer names and card account numbers, expiration dates and three-digit verification (CSV/CVV) codes.

The company added: "HEI was recently alerted to a potential security incident by its card processor. Based upon an extensive forensic investigation, it appears that unauthorised individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems."

HEI is treating the incident as "top priority" and has managed to disable the malware. It is now in the process of reconfiguring and enhancing the security protocols of its network and payment systems. Law enforcement has also been informed.

Chris Daly, a spokesman for HEI, told Reuters over 20,000 transactions may have been affected by the malware. However, it's difficult to accurately calculate how many individuals or cards may be affected, he said, as multiple transactions may have legitimately been carried out on a single card.

IT Pro contacted the affected hotel chains but had not received a response at the time of publication. However, a full list of affected properties can be found here.