The Hilton Hotel chain is investigating claims that customers’ credit and debit card details were compromised as a result of point-of-sale malware implanted on its cash till.
The compromise occurred between 21 April and 27 July, according to reports, with sources at five different banks telling high-profile security researcher Brian Krebs that the breaches could date back to as long ago as November 2014. It is believed – at the moment – only to have affected Hilton-owned and franchised hotels in the US.
“In August, Visa [International] sent confidential alerts to numerous financial institutions warning of a breach at a brick-and-mortar entity… The alerts to each bank included card numbers that were suspected of being compromised, but per Visa policy those notifications did not name the breached entity,” wrote Krebs in a blog posting.
He continued: “However, sources at five different banks say they have now determined that the common point-of-purchase for cards included in that alert had only one commonality: They were all used at Hilton properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the upscale Waldorf Astoria Hotels & Resorts.”
According to Krebs, the compromise did not affect the organisation’s reservation systems, but rather the point-of-sale (POS) terminals used in its restaurants, coffee bars, gift shops and other outlets at its properties.
Point-of-sale malware takes advantage of loopholes in the PCI-DSS payment security standards, which do not specify that transactions on electronic POS terminals should be encrypted. As a result, while credit and debit card details are encrypted on-card, when they are communicated to the POS terminal and when stored on disk, they are decrypted and processed in plain text in memory.
In a statement to Computing, the company said: “Hilton Worldwide is strongly committed to protecting our customers’ credit card information. We have many systems in place and work with some of the top experts in the field to address data security.
“Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today’s marketplace. We take any potential issue very seriously, and we are looking into this matter.”