Digital Transactions Authoritative, insightful and timely information for payments professionals
By Jim Daly
@DTPaymentNews
HEI Hotels & Resorts disclosed Friday that malware on point-of-sale systems may have captured payment card information at restaurants and other locations within 20 of its properties. At the same time, the payments industry is watching for clues about the extent of a compromise at Oracle Corp.’s Micros subsidiary, which has more than 300,000 POS deployments at restaurants, stores, and hotels worldwide.
Norwalk, Conn.-based HEI, which operates properties under the Starwood, Hilton, Marriott, and other brands, said its card processor recently informed it of a “potential security incident.” The resulting forensic investigation found that “unauthorized individuals” apparently “installed malicious software on our payment-processing systems at certain properties designed to capture payment card information as it was routed through these systems,” says a notice on HEI’s Web site.
The malware captured cardholder names, account numbers, expiration dates, and verification codes as the information was entered at restaurants, bars, spas, and gift shops within hotels or resorts in Florida, California, Colorado, Illinois, Minnesota, Pennsylvania, Tennessee, Texas, Vermont, Virginia, and Washington, D.C. “Tens of thousands” of transactions could have been compromised, according to Reuters.
Dates of the compromises vary by location, with the first beginning in March 2015 and the last ones ending this June. At three properties, malware operated for several months, then apparently became inactive before operating again for four to six months. Malware appears to have operated continuously at several properties for over a year, according to the HEI notice.
In addition to disabling the malware, HEI said it has taken several remedial steps, including “transitioning payment card processing to a standalone system that is completely separated from the rest of our network.”
The number of cards affected by the breach and the amount of fraud stemming from it was not available.
Also on Friday, Visa Inc. issued a security alert to merchant acquirers, card issuers, processors, and merchants reporting that Oracle had informed Micros customers about malware being detected “in certain legacy Micros systems” and warning them to watch for suspicious activity. KrebsOnSecurity.com, the news site that broke the story Aug. 8, said early indicators in the investigation show that a Russian cybercrime group might be the perpetrator.
Oracle has divulged little information publicly, but has said it is requiring Micros customers to change their passwords. It also said it will contact customers directly if it determines their data has been compromised.
Micros is a leading POS systems vendor to the restaurant industry, where it had more than 200,000 deployments when Oracle bought Micros in 2014, according to KrebsOnSecurity. Another 100,000 deployments were at retailers, with 30,000 more at hotels, according to the news site.
