Hilton Hotels admits point-of-sale malware hack
Credit card numbers, security codes. You name it, they got it
Hotels group Hilton Worldwide has finally admitted that its hotels were compromised in an attack in which its point-of-sale (PoS) terminals were compromised with malware.
The malware was able to read transaction information, including debit and credit card details, in plain text when it was decrypted on their terminals to conduct the transaction.
The malware exploits a long-known flaw in the PCI-DSS payment security standards that does not stipulate that card data should remain encrypted when it is processed at a point-of-sale terminal. As a result, shop and hotel cash tills have been increasingly targeted in attacks as one of the easiest ways of surreptitiously gleaning payment card details.
The stolen information includes cardholder names, payment card numbers, security codes and expiry dates. Addresses and PINs were not been exposed, claims Hilton, although anyone who has stayed at a Hilton hotel in the past year would be advised to check their bank and credit card statements closely and, perhaps, to order new ones.
Hotel groups face particular challenges with payment-card security as they tend to keep the details for a period of time after check-out, suggested Mark Bower, global director of product management, enterprise data security at HPE Security.
"Card-on-file transactions are common, meaning card data is often stored longer than typical, to maintain customer bookings and for resort service charges after check-in," he said.
He continued: "Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise. Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information."
"Last night, Hilton Hotels disclosed that malware designed to help cyber thieves steal credit and debit card data was found on point-of-sale systems at some of its hotels," said Ryan Wilk, a director at NuData Security. "This credit card breach announcement is just one of a spate of similar hacks that have occurred over the last year or so targeting hotels.
"While we can't know for sure what hackers long-term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits in order to maximise their efforts before moving on to the next industry.
"Once they get the card numbers, hackers then sell them on the 'dark web', use them directly in credit card cycling scams, or tie them to other data leaks to create full 'personas' ripe for identity theft or fraudulent account creation, likely contributing to the overall increase in account takeovers we've seen over 100 per cent of an increase since February 2015," said Wilk.
In the statement released last night, Hilton claimed that it had "eradicated unauthorised malware that targeted payment-card information in some point-of-sale systems".
It continued: "Hilton Worldwide worked closely with third-party forensics experts, law enforcement and payment card companies on this investigation, and determined that specific payment card information was targeted by this malware...
"As a precautionary measure, customers may wish to review and monitor their payment card statements if they used a payment card at a Hilton Worldwide hotel over a 17-week period, from 18 November 2014 to 5 December 2014 or April 21 to 27 July 2015," warned Hilton.
The attack on Hilton Hotels was first publicised by security blogger and journalist Brian Krebs some two months ago, after tip-offs from payment processors. The company appears to have started its investigation straight after Krebs' report was published.
Hilton is not the only hotel chain to have been targeted in this way. Last week, Starwood Hotel & Resorts Worldwide admitted that 50 of its locations had been hit by a similar breach lasting six months. Trump Hotel Collection, Mandarin Oriental and White Lodging have also admitted similar breaches.