There's an update to the far-reaching credit card data breach story that Tnooz covered yesterday. The operator, White Lodging, confirms that they did in fact have a significant security breach for many months in 2013.
The company, which is an independent hotel operator for several brands, has released a list of affected hotels:
- Marriott Midway, Chicago, IL
- Holiday Inn Midway, Chicago, IL
- Holiday Inn Austin Northwest, Austin, TX
- Sheraton Erie Bayfront, Erie, PA
- Westin Austin at the Domain, Austin, TX
- Marriott Boulder, Boulder, CO
- Marriott Denver South, Denver, CO
- Marriott Austin South, Austin, TX
- Marriott Indianapolis Downtown, Indianapolis, IN
- Marriott Richmond Downtown, Richmond, VA
- Marriott Louisville Downtown, Louisville KY
- Renaissance Plantation, Plantation, FL
- Renaissance Broomfield Flatiron, Broomfield, CO
- Radisson Star Plaza, Merrillville, IN
The data thieves managed to maintain access to the flow of credit card data from the period of March 20th to December 16th, a staggering length of time that calls into the question the operational capability in regards to security.
As reported previously, the majority of these cards were not used to purchase hotel rooms. Rather, they were used on-property at food and beverage outlets. However, the company believes the Radisson Star Plaza, in the company's hometown of Merrillville, had their PMS compromised as well.
The company has not responded to a direct request to comment from Tnooz. Of particular interest is the actual number of how many cards were affected. Another important issue is related to PCI-compliance.
As many an expert will share, storing the CVV2 number is not PCI-compliant. White Lodging may have been in violation of PCI standards, if the numbers were stored rather than stolen right at the swipe, thus opening itself up not only to the data breach but also to PCI-related liability.
From their statement:
The unlawfully accessed data may have included names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates. Guests who used or visited the affected businesses during the nine month-period and who used a credit or debit card to pay their bills at the outlets might have had such information compromised and are encouraged to review their statements from that time period.
The company does not mention why this took so long to discover, nor why the breach managed to last for over nine months.
There's a very real lesson to be learned here by anyone who processes payments: without a plan in place to monitor security - and any potential comprises - a huge risk is left to play out without supervision. Managing payment security is indeed a competitive advantage, and should not be taken lightly by anyone processing payments in travel.
Again, merchants should absolutely not be storing the CVV2 numbers at any time in their system. Any storage of security numbers - whether on a piece of paper sitting in a fax machine or on a server - is not considered PCI compliant. Here's an image courtesy of the expert above, payment processor Baintree, about what can and cannot be stored:
The company is offering a complimentary one year identity fraud protection service for affected customers, and encourages anyone who visited these properties to check their bills from this time period in 2013.
NB: Credit lock image courtesy Shutterstock.