Breach, Data Security, Malware, Network Security

Unwanted guests: Hackers breach HEI Hotels & Resorts’ POS terminals

In the latest data breach impacting the hospitality industry, cybercriminals installed malware in the point-of-sale systems of HEI Hotels & Resorts and may have checked out with customer data including payment card information.

The company, which owns and operates approximately 50 hotels in the U.S. under the franchised brand names Starwood, Marriott, Hyatt and Intercontinental, acknowledged the breach in an online notification.

“Unfortunately, like many other organizations, we recently became aware that several of our properties may have been the victim of a security incident that could have affected the payment card information of certain individuals who used payment cards at point-of-sale terminals, such as food and beverage outlets, at some of our properties,” read the statement.

The malware, designed to capture payment card data in transit as it is routed between systems, was discovered and ultimately eliminated on June 21 after a card processing company alerted HEI of suspicious activity; however, the earliest incidents are known to date as far back as March 1, 2015. Potentially captured information likely includes names, payment card account numbers, expiration dates and verification codes.

HEI also published a notice letter, an FAQ document and a list of affected properties that includes 20 locations stretching from coast to coast. “We have disabled the malware and are in the process of reconfiguring various components of our network and payment systems to enhance the security of these systems,” HEI's notice letter read. HEI has also set up a toll-free number for customers with questions and concerns.

HEI's disclosure comes just days after researchers announced that numerous POS system vendors were compromised in a malware campaign that was likely the work of Russian cybercriminals. In one case, bad actors infected the customer support portal for Oracle's MICROS POS solution, and then waited for business users to log in to steal their passwords and infect their POS systems. It's not know if HEI is a customer of one of the recently affected POS vendors of if this is an entirely unrelated incident.

Regardless, cybersecurity insiders have taken note of a perceived uptick in hospitality industry data breach disclosures in 2016, including incidents affecting Hyatt Hotels Corporation, Kimpton Hotels & Restaurant Group, Omni Hotels & Resorts, and Rosen Hotels & Resorts.

“Any business, regardless of size or vertical specialty, that processes payment data or offers free Wi-Fi to guests, is a lucrative breach target. But unfortunately, large chains like HEI have bullseyes on their backs, enticing hackers with large quantities of valuable information such as credit card data for patrons, sensitive employee data for staff, and sometimes even medical data used by in-house care facilities,” said John Christly, CISO at security service provider Netsurion, in an emailed statement to

“Hospitality companies have always been a target for attack because of both the type of data they hold and the relatively poor security they employ. Financial institutes and technology companies are much more difficult targets. Meanwhile hotel chains with a global presence are generally poorly protected from an information technology perspective,” said Gunter Ollmann, CSO at automated threat management firm Vectra Networks.” Also, because the hospitality industry “depends heavily on transient and temporary staff, they are more prone to physical subversion of their systems.”

In an interview with, Chris Strand, security risk and compliance officer at endpoint security company Carbon Black, said he's anything but surprised at the latest breach news, cautioning that the cybersecurity industry is so wrapped up in the ransomware epidemic that it's in danger of overlooking POS threats.

Strand pointed out that when malware campaigns zero in on hospitality chains, the targets are often franchised locations, much like HEI's hotels. The problem, according to Strand, is that franchisors too often “will allow individual franchises to let them run things their way. That means cybersecurity best practices “are pushed down to individual franchises, but not necessary adopted.”

Strand warned that often times franchised hotels systems are “outdated” and “inundated,” and that franchisors must get a better handle on how its franchisees address security concerns.

In the recent Wendy's restaurant data breach, all of the approximately 1,000 U.S.-based locations affected by the POS malware attack were franchised.

Other factors contributing to recent hospitality attacks, Strand added, are incorrect or incomplete adoption of the new “chip and PIN” EMV standard, as well as a tendency to settle for basic PCI compliance instead of aggressively pursuing next-generation security solutions and procedures. Ultimately, the responsibility to secure transactions at the POS is equally split among vendors and their customers, Strand concluded.

Consumers, too, must stay vigilant in checking their accounts for fraudulent activity. However, in a statement emailed to, malware research analyst Ken Bechtel from Tenable Network Security noted that in many cases, the consumer is rendered powerless.

“We often forget that the consumer is at a distinct disadvantage when dealing with POS malware, as this threat is beyond their control,” said Bechtel. “While cardholders can help protect their accounts by watching for skimmers, keeping their card within sight while paying bills and checking credit card statements for fraudulent activity, once a POS system is compromised there is nothing the user can do to prevent the activity. It's the responsibility of the organization to detect anomalies in credit card transactions and then take ongoing steps to prevent and remediate potential malware threats.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.