Omni Hotels & Resorts has reported that point-of-sale systems at some of its properties were hit by malware targeting payment card information. The attack on the systems of the luxury hotel chain follows similar breaches of point-of-sale systems at various hotels and retailers like Hyatt Hotels, Target, Starwood Hotels & Resorts Worldwide and Hilton Worldwide Holdings. Omni in Dallas, Texas, said in a statement Friday that on May 30 this year, it discovered it was hit by malware attacks on its network, affecting specific POS systems on-site at some of its properties. "The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date," Omni said. There isn't evidence that other customer information, such as contact information, Social Security numbers or PINs, was compromised, it added.
Clothing retailer Eddie Bauer has informed customers that point-of-sale systems at its stores were hit by malware, enabling the theft of payment card information. All the retailer's stores in the U.S. and Canada, numbering about 350, were affected, a company spokesman disclosed Thursday. He added that the retailer is not disclosing the number of customers affected. The card information harvested included cardholder name, payment card number, security code and expiration date. The retailer said that information of payment cards used at its stores on various dates between Jan. 2 and July 17, 2016 may have been accessed, but added that not all cardholder transactions were affected.
A new swathe of US hotels has fallen prey to point-of-sale (PoS) malware which may have exposed customer financial data. Hotel properties in cities including San Francisco, Chicago, Arlington and Washington DC were included in the data breach. Malware was active at different stages depending on the property, but customer data was exposed between 2015 and 2016. HEI says that customer data including names, payment card account numbers, card expiration dates and verification codes may have been captured by the malware. However, the company insists that the firm does not store credit card numbers; rather, it is believed the malware captured this data as it was recorded in real-time at PoS terminals.
Card-issuing banks told the Madison Square Garden Company about suspicious transactions, which led to investigations that confirmed the breach. The Madison Square Garden Company has revealed that for a year malware has been capturing payment-card data from a system that processes payments for several of its properties. MSG warned customers on Tuesday that the breach had exposed customer data held on the magnetic strip of credit cards, including card numbers, cardholder names, expiration dates, and internal verification codes. Card-issuing banks recently notified MSG of suspicious transaction patterns, which led to an investigation by MSG and confirmation of the infection in the last week of October, it said. It's not clear why the company only revealed the incident now.
Marriott on Friday said the hack of the reservation database for its Starwood properties, which involved the theft of personal information on up to 500 million customers, began in 2014 and went undetected until this September. In 2015, Starwood reported a much smaller breach, in which attackers installed malware on point-of-sale systems in some hotel restaurants and gift shops to siphon off payment-card information. It disclosed the attack four days after Marriott announced a deal to acquire Starwood Hotels & Resorts Worldwide for what ended up being $13.6 billion, creating the No. 1 hotel company globally. Marriott says that the 2015 incident was different and not related to the attack made public Friday. But security specialists say that while it's not unusual for breach investigations to miss a second intruder, a more thorough investigation into the 2015 intrusion could have uncovered the attackers, who instead were able to lurk in its reservation system for three more years.