Mandarin Oriental Hotel Group said Friday that 10 of its properties were affected in a malware attack on its credit card systems.
According to a release, the following Mandarin Oriental properties were affected, all beginning on June 18, 2014: Boston until March 12; Geneva until March 3; Hong Kong until Feb. 10; Las Vegas until Oct. 16, 2014; Miami until March 3; New York until Jan. 18; San Francisco until Feb. 14; and Washington DC until Jan. 20. The Mandarin Oriental Hyde Park in London was impacted until March 5, and the Landmark Mandarin Oriental in Hong Kong was impacted until Feb. 3.
“We believe this hacker may have used the malware to acquire the names and credit card numbers of guests who used a credit card for dining, beverage, spa, guest rooms, or other products and services at the following Mandarin Oriental properties during these time periods; we have not, however, found any evidence of acquisition or misuse of credit card pin numbers or security codes, or any other personal guest data,” the release said.
A notification posted to the California data breach website indicated that 2,835 California residents may have had their credit card data acquired in the incident, but it is unclear how many total individuals were potentially impacted, and a Mandarin Oriental spokesperson told SCMagazine.com on Monday that no additional information is being provided outside of what has already been released.
After identifying the issue and commencing an investigation, Mandarin Oriental took steps to remove the malware, ensure that intruders are no longer on its systems, and notify potentially affected guests, the release said. Additional steps have been taken to further protect guest information and make certain a similar incident does not occur again.
The California notification noted that while Mandarin Oriental has no evidence that credit card information has been improperly used, all potentially affected guests are being offered a free year of credit monitoring services.
According to the release, Mandarin Oriental learned of the issue in February when its payment card processors said that credit card systems in some hotels may have been the target of malicious activity. The hotel group first announced the breach in March.