National hotel franchisor White Lodging has been beset by a credit card data breach, with fraud stretching for more than 9 months, the KrebsOnSecurity blog has revealed.
Brian Krebs, who is the preeminent authority on cyber-security, has found that Indiana-based White Lodging was "seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year."
White Lodging Services has a 168 full-service hotels in 21 states, with flags from internationally-recognized brands like Marriott, Radisson Hotels, Intercontinental Hotel Group, Hilton, Starwood, and Hyatt.
The fraud was limited to the Marriott brands within the operator's portfolio, and was targeted geographically to Louisville, Austin, Chicago, Denver, Los Angeles, and Tampa.
The company also has more than 30 company-owned restaurants, where much the alleged fraud occurred. The cards were never used to stay in the actual hotels; rather, the fraudsters accessed the numbers of cards used to pay in the restaurants, gift shops and for other services around the hotels.
As Krebs reports,
Sources say the breach appears to have affected mainly restaurants, gift shops and other establishments within hotels managed by White Lodging — not the property management systems that run the hotel front desk computers which handle guests checking in and out. In the case of Marriott, for example, all Marriott establishments operated as a franchise must use Marriott’s property management system. As a result, the breach impacted only those Marriott guests who used their cards at White Lodging-managed gift shops and restaurants.
While the localized nature of the breach might be of slight relief to Marriott, White Lodging is an expansive hotel franchisee and so this is a very serious issue across the board - especially given the decentralized nature of the payment processing that occurs outside of the corporate PMS in hotels operator by a third party.
White Lodging has released a basic statement saying they are looking into the matter and will share an update "as soon as it becomes available," and has promised a press release update at 2pm Eastern today.
A Marriott spokesperson emailed this statement to Tnooz:
One of our franchise management companies has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels. They are in the midst of the investigation and are in close contact with the banks and credit cards companies. We are working closely with the franchise management company as they investigate the matter. Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide. Since this impacts customers of Marriott properties, we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.
The credit card breach comes on the heels of intense data security discussions last month at the Hotel Electronic Distribution Network Association conference in New Orleans. Tnooz covered much of this discussion surrounding secure payments and connectivity, and it clearly continues to be a major issue both for hotel operators and their corporate franchisors.
Payment processing security is already becoming one of the most talked about stories of 2014, becoming a question not of if but when a security breach will impact an industry.
NB: Credit card image courtesy Shutterstock.