Malware on Omni Hotel POS systems scarfed payment card info

Omni joins a contingent of hotel chains that were hit with malware aimed at stealing payment card data at the POS.
Omni joins a contingent of hotel chains that were hit with malware aimed at stealing payment card data at the POS.

After Omni Hotels & Resorts discovered May 30 that point-of-sale systems at some of its properties were infected with malware bent on obtaining payment card information during roughly a six-month period, the hotel chain brought in IT and security firms – in what has become a familiar refrain – to “contain the intrusion,” which the company said it did in a Friday notice.

“The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date,” the Dallas-based company said, explaining that the investigation found no evidence that its reservation or Select Guest membership systems had been compromised. “There is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue.”

Customers that did not physically present a payment card at a POS system at an affected Omni location were likely not affected during the period from December 23, 2015 to June 14, 2016, when the intrusions were believed to have taken place.

Omni joins a long line of hotels and resorts, including Hyatt, Starwood, Hilton and the Trump Hotel Collection, hit with malware at the POS

The intrusion issue has since been resolved, Omini said, and the company has “taken steps” to bolster its systems and is cooperating with law enforcement investigating the breach. The hotel chain urged customers to remain cautious and vigilant.  “Out of an abundance of caution, you may want to review and monitor your payment card statements if you used a payment card at an Omni hotel during the above referenced dates,” the notice said.  “If you believe your payment card may have been affected, please contact your bank or card issuer immediately.

In addition to an apology, Omni is offering guests a year of free identity theft protection and repair – which can be requested online or by calling a number (1-855-303-9809) the hotel has established – as well as a reference guide to resources and other advice meant to protect against fraud.

“The Point of Sale malware targeting Omni Hotels is indicative of a larger problem regarding the security of third parties that have a direct bearing on their security and risk posture,” Joe Fantuzzi, CEO of RiskVision, said in comments emailed to SCMagazine.com. Fantuzzi doesn't expect the attack trend to disappear in the near term because cyber thieves do quite well with low-hanging fruit like POS systems, “which are often inadequately secured and particularly vulnerable to attack.”

The effects can be particularly devastating in the hospitality industry, which, Fantuzzi said, “is based on consumer trust.”

Not only do such compromises run up the risk of customer data theft, attacks like the one at Omni “that have been in flying under the radar undetected for months threaten the very foundation on which it relies to grow its business and establish a loyal customer base.” 

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS