US chain Rosen Hotels & Resorts has become the latest to confirm a malware-based breach of its payment processing systems.
The breach covered an extended period between September 2, 2014 to February 18, 2016 - or almost 18 months. The unauthorised access was tied to certain locations, primarily at its restaurants.
While Rosen does operate several other properties in central Florida, it’s not immediately clear how many properties are affected.
In a statement (below), the hotel chain confirmed that payment card data (including cardholder name, card number, expiration date, and internal verification code) was exposed by the breach.
It’s unclear how many records have been affected. Rosen Hotels & Resorts is in the process of identifying and notifying affected parties.
We received unconfirmed reports on February 3, 2016 of a pattern of unauthorized charges occurring on payment cards after they had been used by some of our guests during their stay. We immediately initiated an investigation into these reports and hired a leading cyber security firm to examine our payment card processing system.
Findings from the investigation show that an unauthorized person installed malware in RH&R’s payment card network that searched for data read from the magnetic stripe of payment cards as it was routed through the affected systems. In some instances the malware identified payment card data that included cardholder name, card number, expiration date, and internal verification code.
In other instances the malware only found payment card data that did not include cardholder name. No other customer information was involved.
Cards used at RH&R between September 2, 2014 and February 18, 2016 may have been affected.
We are working with the payment card networks to identify the potentially affected cards so that the banks that issued them can be made aware and initiate heightened monitoring on those accounts. For guests where the findings show that the payment card information involved included their name and for whom we have a mailing address or e-mail address, we will be mailing them a letter or sending them an e-mail. We are also supporting law enforcement’s investigation.
“It’s troubling to see another malware attack be so successful – and even more troubling that it persisted over a prolonged period of time without being detected,” said Kevin Watson, chief exec at Florida-based Netsurion, a provider of remotely-managed security services for multi-location businesses. “We counsel our customers that any business, regardless of size, that processes payment data or offers free Wi-Fi to guests, is a lucrative target for cybercriminals.”
More commentary on the infosec angle to the breach can be found in a post to Tripwire’s State of Security blog here.
As infosec veteran Graham Cluley points out, Rosen Hotels is only the latest in a long and growing line of hotel chains to have had their customers’ data stolen by criminal hackers. Other corporate victims have included Mandarin Oriental, Trump, Hilton, Marriott, Sheraton and Westin. Malware infections of Point of Sale terminals have been behind many of these breaches. ®