Extended stay: Data-stealing malware hides on Rosen Hotels' payment card network for over year
An investigation of Rosen Hotels & Resorts' payment card systems uncovered malware that had been collecting guests' names and card information.
Guests who recently lodged at Rosen Hotels & Resorts properties in theme-park destination Orlando, Fla. must hope their data hasn't been taken for a wild ride, after the hospitality company announced its properties have suffered a long-undiscovered payment card data breach.
In a corporate statement, Rosen confirmed that an investigation of its payment card network turned up malware capable of reading cards' magnetic stripe data as it is routed through affected systems. The malware collected card numbers, expiration dates, internal verification codes and in some cases cardholder names, added the company, which operates seven properties comprising over 6,300 rooms and suites.
Rosen did not indicate how many guests were likely affected; however the malware resided on its systems for well over a year, from Sept. 2, 2014 to Feb. 18, 2016. The company was finally alerted to the presence of malware in early February after receiving unconfirmed reports of fraudulent charges involving past guests.
According to its statement, Rosen is actively working with the payment card networks to identify the affected cards and notify their issuers and users. The company also said that “enhanced security measures have been implemented to help prevent this from happening again,” although no specifics were provided.
Reaction from certain corners of the data security industry was that of concern. “It's troubling to see another malware attack be so successful—and even more troubling that it persisted over a prolonged period of time without being detected, Kevin Watson, CEO at Netsurion, said in an email supplied to SCMagazine.com.
Rosen has established a dedicated helpline for affected cardholders at 855-907-3214.