Upmarket hotel chain Mandarin Oriental has admitted to a credit card breach.
Investigative journalist Brian Krebs uncovered evidence of a breach before extracting an admission of the problem from the hotel group.
The root cause of the security spill – as well as the number of credit cards exposed – remains unclear, pending the results of a Mandarin Oriental investigation.
Krebs got wind of potential problems at the hotel chain as the result of a tip-off from a source in the financial services industry, who reported an emerging pattern of fraudulent charges on customer cards used to pay for stays at the hotels.
In a statement, Mandarin Oriental blamed malware for the breach:
Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorisation and in violation of both civil and criminal law.
The Group has identified and removed the malware and is co-ordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio.
We take the protection of customer information very seriously. Unfortunately incidents of this nature are increasingly becoming an industry-wide concern and we have therefore also alerted our technology peers in the hospitality industry.
The hotel chain, which operates upmarket hotels in 27 countries, said that it had already added unspecified extra security measures in the wake of the breach, which continues to be the focus of an ongoing investigation.
Mandarin Oriental asserted that the malware involved in the breach was undetectable by all anti-viral systems.
The compromise probably dates back to just before Christmas 2014 and involves stays at US hotels, according to Krebs. The investigative journalist raised the possibility that compromised payment terminals at restaurants and other businesses located inside of these hotels, rather than payment data extracted from hotel front desk systems, may be behind the breach.
There are precedents for this particular type of problem. For example, last year White Lodging Services Corp disclosed a breach limited to restaurants and gift shops hosted within its hotels.
Whether or not this happened in the Mandarin Oriental case is purely speculative at this stage, but it's an credible theory which illustrates the nefarious tactics of credit card fraudsters.
Third-party security experts advised Mandarin to focus on keeping on top of the breach notification process in order to keep its wealthy clients on side.
"Mandarin Oriental will need to limit the fall-out of this breach as quickly and efficiently as it can," said Mark James, security specialist at anti-virus firm ESET. "Information is key here and getting that out to the affected users as quickly and concisely as possible will help towards keeping its reputation and its customers."
He added: "A lot of people these days accept the fact that their data online is not safe and will be subjected to theft at some point. It’s how companies affected by data breaches react and recover that sets them apart from the others. Free credit monitoring for all affected parties is a must, along with information on how, when and what they are doing to stop it from happening again.” ®