Add Starwood – owner of the Sheraton, Westin, W hotel chains – to the ranks of resorts infiltrated by credit card-stealing malware.
The luxury hotel chain said on Friday that 54 of its North American locations had been infected with a software nasty that harvested banking card information from payment terminals and cash registers.
Starwood said the 54 compromised hotels [PDF] were scattered throughout the US and Canada, and were infected from as early as November of 2014 to June 30 of this year. Malware was found in payment systems in gift shops, restaurants, and sales registers.
Data stolen by the software could include customer names, credit card numbers, card security codes, and expiration dates. Starwood said that customer addresses, reservation data, and reward card information were not exposed in the breach.
Starwood Hotels and Resorts include the Sheraton, Westin, and W Hotel brands as well as the Palace Hotel in San Francisco and the Walt Disney World Dolphin resort in Orlando.
Any customers who visited the breached hotels are advised to keep a close eye on their bank statements for any suspicious charges. As we've come to expect in these sorts of situations, Starwood said it would offer one year of free identity protection and credit monitoring services to those who were affected by the breach.
The malware has since been isolated and removed from the system, and Starwood said it has put additional safeguards in place to prevent the attack from recurring. Little consolation for those whose card data was stolen.
This is certainly not the first time, and likely will not be the last, that a hotel chain has fallen victim to a POS malware infection. Similar attacks have been uncovered in recent months at Hilton and Trump resorts, as well as at casinos in Las Vegas and Michigan. ®