HEI has reported that 20 hotels that it operates in the US may have been targeted by hackers seeking customers' credit card information. Determining how many and which customers might have had their data stolen is difficult; HEI only discovered the breach in June and it is possible that the malware may have been active since March 1, 2015 in some systems.

The hotels ranged from Starwood, Marriott, Hyatt, and Intercontinental flags and were located in Florida, Texas, Vermont, Chicago, Ill., Arlington, Va., California, Nashville, Tenn., Minneapolis, Minn., Colorado, Washington, DC and Philadelphia.

A full list of the properties and the dates that they affected can be found here.

HEI said that the malware has been contained and guests can safely use payment cards at all of its properties. “We are sorry for any concern or frustration that this incident may cause,” it said.

Certainly, it is easy to feel sympathy for HEI's position; it is hardly alone is being victimized by hackers and, as the supposed theft of NSA hacking tools illustrates, cyber criminals have become frighteningly clever. But the HEI malware writer or writers didn't have to be of the caliber to go up against the NSA — as HEI itself said, they probably used the point-of-sale as an entry point.

Here, it should be noted that the point-of-sale has become easy pickings for hackers. Also of note: many other hotels experienced similar attacks prior to HEI's attack.

An Industry Under Assault

As TrendMicro's security blog Simply Security noted earlier this year, hackers have been targeting hotels since at least March 2015. It wrote:

It was then that the luxury Mandarin Oriental Hotel Group run by White Lodging Services Corporation became the victim of a cyber attack that breached the POS, and resulted in the possible theft of payment card data. The company did not specify how many cards were affected, but stated that it was a “limited number.”

White Lodging's troubles were far from over, though, TrendMicro continued.

Less than a month later, the group announced another suspected hacking, this time of its restaurants and lounges. The company released the names of 10 properties that had been affected from July 3, 2014 through Feb. 6, 2015. Once again, the culprit was POS malware.

Then followed a who's who list of top-name hotels confessing to its guests that their data had possibly been compromised. In September 2015, a security expert reported that several sources in the financial industry had traced multiple cases of credit card fraud back to Hilton Hotel properties. TrendMicro wrote:

At the time, there was no official announcement from Hilton that confirmed this information. This changed in November when the company wrote in a press release that its POS systems had, in fact, been breached and as a result, cardholder names and payment information were stolen.

Then, in between the time that the Hilton breach has first been suspected and confirmed, the Trump Hotel Collection confirmed suspicions of its own regarding a possible breach of its POS system.

The company announced in early October that it had been actively affected by malware for nearly a year, and that any customers who paid with credit or debit cards between the dates of May 19, 2014 and June 2, 2015, may have had payment information stolen.

Starwood was also having problems as it turned out during this time period.

Shortly before Hilton confirmed its suspected breach in November, Starwood announced that 54 of its properties including Sheraton, Westin and W locations, had been preyed upon by cyber attackers, resulting in the possible exposure of debit and credit card information of its customers. Once again, the culprit was POS malware.

Then, two days before Christmas, Hyatt announced that it too had become the victim of a cyber attack targeting its payment systems.

Industries Promise to Cooperate

This is not to say the hospitality industry and other relevant groups wrung their hands passively in the background.

Around the time of some of these attacks, a number of business associations announced a partnership to share information and discuss possible solutions. They included the Retail Industry Leaders Association, the Financial Services Roundtable, the American Bankers Association, The Clearing House, the Consumer Bankers Association, the Food Marketing Institute, Independent Community Bankers of America, the International Council of Shopping Centers, the National Associations of Convenience Stores, the National Grocers Association, the National Restaurant Association, the National Retail Federation — and yes, the American Hotel & Lodging Association.

“The US hotel industry is committed to protecting the confidential data of our customers,” said Katherine Lugar, president & CEO of the American Hotel & Lodging Association, said at the time. “We look forward to working with merchant and financial groups to advance measures to further enhance data security.”

“No Hotel Chain Has Shown Leadership”

But intra- and inter-industry cooperation only goes so far when stacked up against the hard challenges of cyber defense. Hotels are dealing with the same issues that other large public-facing organizations are that make it difficult to stymie an attack, starting with legacy IT and the high costs of starting from scratch. There are also privacy issues to be navigated.

Other issues are specific to the common business model used in the hospitality industry, according to a statement by Philip Lieberman, president of Lieberman Software that was released to reporters following HEI's announcement.

“The current business model of hotels and their franchisees does not provide cyber security as one of the deliverables provided to their licensees,” he said. “Along this same line, the types of equipment/software used by the properties, software patching, and monitoring are woefully inadequate for today's threats.”

A solution is possible, Lieberman said. “One could imagine that a large hospitality company could — or would — provide a centralized network operations center and security operations center capability, but that is not the case today.”

So far, he concluded, “no hotel chain to date has stepped up and shown leadership in cyber security.”

WASHINGTON, DC—As far as cyber hacks go, the Norwalk, CT-based HEI Hotel & Resorts breach doesn't rank very high in terms of daring or potential catastrophe; at least not compared to the current one dominating headlines. An unknown group of cyber criminal group is claiming to have stolen US government hacking tools from an organization affiliated with the National Security Agency. Supposedly these tools are on sale right now — available to the highest bidder.

But then again, ask a guest who had stayed at one of the affected hotels during the time period the malware was active what his or her thoughts are about the breach. Or ask a security expert that has been following the chain of cyber thefts at hotels for the last two years, most of which have occurred through the same point of vulnerability.

The perspective changes a bit.

20 HEI-Operated Hotels May Have Been Attacked

HEI has reported that 20 hotels that it operates in the US may have been targeted by hackers seeking customers' credit card information. Determining how many and which customers might have had their data stolen is difficult; HEI only discovered the breach in June and it is possible that the malware may have been active since March 1, 2015 in some systems.

The hotels ranged from Starwood, Marriott, Hyatt, and Intercontinental flags and were located in Florida, Texas, Vermont, Chicago, Ill., Arlington, Va., California, Nashville, Tenn., Minneapolis, Minn., Colorado, Washington, DC and Philadelphia.

A full list of the properties and the dates that they affected can be found here.

HEI said that the malware has been contained and guests can safely use payment cards at all of its properties. “We are sorry for any concern or frustration that this incident may cause,” it said.

Certainly, it is easy to feel sympathy for HEI's position; it is hardly alone is being victimized by hackers and, as the supposed theft of NSA hacking tools illustrates, cyber criminals have become frighteningly clever. But the HEI malware writer or writers didn't have to be of the caliber to go up against the NSA — as HEI itself said, they probably used the point-of-sale as an entry point.

Here, it should be noted that the point-of-sale has become easy pickings for hackers. Also of note: many other hotels experienced similar attacks prior to HEI's attack.

An Industry Under Assault

As TrendMicro's security blog Simply Security noted earlier this year, hackers have been targeting hotels since at least March 2015. It wrote:

It was then that the luxury Mandarin Oriental Hotel Group run by White Lodging Services Corporation became the victim of a cyber attack that breached the POS, and resulted in the possible theft of payment card data. The company did not specify how many cards were affected, but stated that it was a “limited number.”

White Lodging's troubles were far from over, though, TrendMicro continued.

Less than a month later, the group announced another suspected hacking, this time of its restaurants and lounges. The company released the names of 10 properties that had been affected from July 3, 2014 through Feb. 6, 2015. Once again, the culprit was POS malware.

Then followed a who's who list of top-name hotels confessing to its guests that their data had possibly been compromised. In September 2015, a security expert reported that several sources in the financial industry had traced multiple cases of credit card fraud back to Hilton Hotel properties. TrendMicro wrote:

At the time, there was no official announcement from Hilton that confirmed this information. This changed in November when the company wrote in a press release that its POS systems had, in fact, been breached and as a result, cardholder names and payment information were stolen.

Then, in between the time that the Hilton breach has first been suspected and confirmed, the Trump Hotel Collection confirmed suspicions of its own regarding a possible breach of its POS system.

The company announced in early October that it had been actively affected by malware for nearly a year, and that any customers who paid with credit or debit cards between the dates of May 19, 2014 and June 2, 2015, may have had payment information stolen.

Starwood was also having problems as it turned out during this time period.

Shortly before Hilton confirmed its suspected breach in November, Starwood announced that 54 of its properties including Sheraton, Westin and W locations, had been preyed upon by cyber attackers, resulting in the possible exposure of debit and credit card information of its customers. Once again, the culprit was POS malware.

Then, two days before Christmas, Hyatt announced that it too had become the victim of a cyber attack targeting its payment systems.

Industries Promise to Cooperate

This is not to say the hospitality industry and other relevant groups wrung their hands passively in the background.

Around the time of some of these attacks, a number of business associations announced a partnership to share information and discuss possible solutions. They included the Retail Industry Leaders Association, the Financial Services Roundtable, the American Bankers Association, The Clearing House, the Consumer Bankers Association, the Food Marketing Institute, Independent Community Bankers of America, the International Council of Shopping Centers, the National Associations of Convenience Stores, the National Grocers Association, the National Restaurant Association, the National Retail Federation — and yes, the American Hotel & Lodging Association.

“The US hotel industry is committed to protecting the confidential data of our customers,” said Katherine Lugar, president & CEO of the American Hotel & Lodging Association, said at the time. “We look forward to working with merchant and financial groups to advance measures to further enhance data security.”

“No Hotel Chain Has Shown Leadership”

But intra- and inter-industry cooperation only goes so far when stacked up against the hard challenges of cyber defense. Hotels are dealing with the same issues that other large public-facing organizations are that make it difficult to stymie an attack, starting with legacy IT and the high costs of starting from scratch. There are also privacy issues to be navigated.

Other issues are specific to the common business model used in the hospitality industry, according to a statement by Philip Lieberman, president of Lieberman Software that was released to reporters following HEI's announcement.

“The current business model of hotels and their franchisees does not provide cyber security as one of the deliverables provided to their licensees,” he said. “Along this same line, the types of equipment/software used by the properties, software patching, and monitoring are woefully inadequate for today's threats.”

A solution is possible, Lieberman said. “One could imagine that a large hospitality company could — or would — provide a centralized network operations center and security operations center capability, but that is not the case today.”

So far, he concluded, “no hotel chain to date has stepped up and shown leadership in cyber security.”