The History Of Hotels Cyber Attacks
In the Hospitality field, more than in other industries, applications and systems are exposed to the internet, creating more opportunities for entry points and therefore attacks on the troves of passwords, personally identifiable information, credit card details and other sensitive information stored in them.
Hospitality and retail security require ongoing diligence and multiple layers of defense.
As hackers continuously target the industry for its secured data, dozens of breaches have been reported by hotels since 2010.
Those attacks targeted major multinational corporations, booking sites, as well as single or privately owned properties.
Here is a timeline of the widely reported data security attacks on the hotel industry since 2008.
2020
Marriott International
When: March 31, 2020
What happened: Marriott International disclosed that names, mailing addresses, loyalty account numbers and various other personal information of more than 5.2 million guests might have been exposed in a data breach. Note that this is the second security breach to hit the hotel group in less than two years.
MGM Resorts International
When: February 19, 2020
What happened: MGM Resorts International acknowledged it had suffered a data breach in 2019 that affected 10.6 million guests.
The hack included the breach of personal data such as full names, phone numbers, home addresses, email addresses, and dates of birth for tourists, business travelers, tech CEOs, reporters, government officials, and more. About 1,300 individuals had more sensitive data exposed — from their driver’s licenses, passports, or military ID cards.
MGM Resorts’ security team confirmed the data posted online was hacked from a cloud server containing “a limited amount of information for certain previous guests.” The company stated that the breach did not include financial, payment card, or password data.
MGM Resorts acknowledged the breach occurred after ZDNet, a technology news website, published a report detailing how the personal information of guests had been posted on a hacking forum.
2019
Choice Hotels International ( Choice currently franchises more than 7,000 hotels, representing nearly 570,000 rooms, in more than 40 countries and territories.)
1.When: November 29, 2019.
What happened: In the second breach of this year alone, Choice Hotels International notified guests of “inadvertent disclosure of certain guest information” to third-party business partners as a result of customers receiving a browser error. Choice described the issue as the Safari browser repopulating information input into reservation fields once the reservation page reloaded. The information involved included the name of the person making the reservation, email address, state, zip code, country code, and the number and expiration date of the payment card used to make the reservation. If the reservation made was using a mixture of points and payment, the external verification value on the card may have also been in the website address.
Overall, this issue repeated itself approximately 88,000 times from June 2015 through 12 November 2019.
2.When: August 15, 2019
What happened: A massive data breach of personal data of approximately 700,000 guests of Choice Hotels International was exposed. The breach was the result of the discovery by hackers of an unsecured database that contained 5.7 million Choice Hotel records.
According to Choice’s statement, the breach of records “did not contain payment, password or reservation information,” but did include “some guest contact information, including names, addresses, phone numbers and/or email addresses.”
The company claims most of the data involved in the breach was “test data”; nonetheless, the database was left unsecured online for four days before being discovered by a security team.
The breach originated on a vendor’s server, which was hosting the data without authorization “to test a security offering,” according to Choice. “None of our servers were accessed,” the company stated.
Drury Hotels (exclusively located in the US, it has more than 120 hotels in 19 states. Brands include Drury Inn & Suites, Drury Inn, Drury Plaza Hotel, Drury Suites, and Pear Tree Inn by Drury.)
When: May 24, 2019
What happened: Drury Hotels has taken measures to address a security incident experienced by a third party technology service provider. The provider advised the hotel that certain transaction records from a third-party online booking site were hacked between Dec. 29, 2017 and March 13, 2019. Reservations that were made directly with Drury Hotels were not involved in this incident.
The information in the transaction records that were involved included name, payment card number, expiration date and the card’s external verification code, as well as mailing addresses and email addresses.
Drury Hotels confirmed that the breach did not affect direct bookings made on its website or mobile platform. Drury is encouraging guests to closely review payment-card statements for any unauthorized charges
2018
Marriott International
When: November 30, 2018
What happened: On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott hired leading hotel cybersecurity experts to help determine what occurred. Marriott learned from the initiated investigation that unauthorized access to the system took place, since as far back as 2014.
Marriott estimates approximately 500 million guests who made a reservation at a Starwood property since 2014 might have had their information at risk.
For approximately 327 million of these guests, the information includes; name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender and reservation date.
For a few guests, hacked data also included the sensitive details of their payment card numbers and their expiration dates. The payment card numbers were encrypted, but although two components are needed to decrypt the payment card numbers, Marriott has not been able to rule out the possibility that both were taken.
- Starwood brands include W Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, Four Points by Sheraton and Design Hotels.
Radisson Hotel Group
When: November 2, 2018
What happened: Radisson identified a security breach of data on its Radisson Rewards Members database.
According to Radisson’s security investigation, the breach was restricted to member name, address (including country of residence), email address, and in some cases company name and phone number. No payment card or password information was compromised as part of this hack.
Huazhu Hotels Group (Huazhu is one of China’s largest hotel chains, operating more than 3,500 properties across 13 brands, including Mercure and Ibis)
When: August 28, 2018
What happened: The possible breach of data at Huazhu Hotels Group was first leaked by social media. It was later on reported that the leak affected 130 million customers and more than 240 million lines of data of guest-related information were compromised across 13 Huazhu hotel brands — including name, cellphone number, login credentials, addresses, date of birth, credit card numbers, bank account numbers and booking details.
The stolen data originally sold for 8 bitcoins (equivalent to roughly $51,100 U.S.). The bid price was later adjusted to 1 bitcoin after the news spread quickly across local media.
FastBooking (a web app working with 4,000 partner hotels in 100 countries)
When: June 28, 2018
What happened: An organized Team of hackers got to FastBooking ( a renowned booking website) with the sole purpose to install malware and pilfer data such as names, nationalities, physical and email addresses, booking information and payment card details from guests at hundreds of hotels.
It seems the attacker stole different information from different hotels; none of FastBooking’s customers were affected in the same way.
Orbitz (Expedia-owned travel website operator)
When: March 22, 2018
What happened: As disclosed by Orbitz, the security breach may have exposed the data of thousands of customers, including information on 880,000 payment cards. It was reported that the breach affected an older website as well as the platform of an unnamed business partner. Orbitz said that the hackers “likely had access” to customer’s names, dates of birth, email addresses, street addresses, and their genders.
The breach, although exposed on March 2018, actually took place between October and December 2017 and involved records dating between Jan. 1, 2016 and Dec. 22, 2017
2017
Hilton
When: November 1, 2017
What Happened: BBC News reported Hilton was fined $700,000 for mishandling data breaches in 2014 and 2015.
The attacks had put at risk more than 363,000 accounts
The company discovered the first breach in February 2015 and the second in July 2015, but only went public with the breaches in November 2015.
U.S. federal investigators said that the firm had taken too long to warn customers and had lacked adequate security measures.
Hyatt Hotels Corporation
When: October 12, 2017
What happened: According to a report from Reuters, Hyatt discovered a data breach into guest payment card information at 41 corporate-managed properties across 11 countries.
Hyatt said the incident affected sensitive payment information such as cardholder name, card number, expiration date and internal verification code, from cards manually entered or swiped at the front desk of certain Hyatt-managed locations.
This is not the first time Hyatt is facing a data breach problem at its hotels.
Sabre Hospitality Solutions (a hotel global distribution system)
When: May 4, 2017
What happened: Sabre Corporation disclosed a breach of its SynXis central-reservations system that may have exposed consumers’ payment card data and personally identifiable information.
A third-party reservations system provided by Sabre Hospitality Solutions infected multiple hotel companies including NYC Roosevelt Hotel, Four Seasons Hotels, and Resorts, Red Lion Hotels Corporation, Trump Hotels, Loews Hotels, Hard Rock Hotels & Casinos, Kimpton Hotels & Restaurants, Two Roads Hospitality and Club Quarter Hotels, all of which reported that the breach granted unauthorized access to credit card information as well as to reservation information between August 2016 and March 2017.
Sabre released the following statement as part of its press release:” […] Our investigation is complete and we have determined that an unauthorized party accessed certain payment card information for a limited subset of hotel reservations processed through the SHS reservation system.[…] “
Hard Rock reported that 11 properties in the U.S., Mexico, and Caribbean regions were affected by the breach.
Trump Hotels reported 14 properties in the U.S., the United Kingdom, Ireland, Canada, and South America were affected by the breach.
Loews Hotels notified guests that 21 properties in the U.S. and Canada were affected by the data breach.
Four Seasons did not provide a list of the properties affected.
RLHC confirmed the breach potentially affected eight of the company’s brands.
InterContinental Hotels Group
When: First announced on February 3rd and evolved up until April 19, 2017
What happened: In 2016, InterContinental Hotel Group announced it was investigating a credit card breach across some 5,000 hotels worldwide. Iin February, IHG acknowledged a breach but said it appeared to involve only a dozen U.S properties.
Now, IHG has released data showing that cash registers at more than 5000 of its properties were compromised through the use of a malware-based payment card breach
software designed to siphon customer credit card data.
The malicious code usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.
2016
Millennium Hotels and Resorts (MHR)
When: August 25, 2016
What happened: Millennium Hotels & Resorts North America (MHR) has become aware of a data security incident which affected point of sale systems that processed customer card payments — primarily within food and beverage facilities operating at 14 of its hotels, between early March 2016 and mid-June 2016.
It has been stated that the hackers targeted F&B point-of-sales systems but did not infiltrate Millennium’s property management or booking systems.
The affected point of sale systems are separate from MHR’s hotel property-management and booking systems. The results from MHR’s current investigation do not indicate the compromise of other systems.
HEI Hospitality
When: August 15, 2016
What happened: HEI Hotels & Resorts announced that malware, which may have collected personal information of its guests such as names, payment card numbers, and verification codes, was found in 20 of its locations.
The breach had begun in December and was carried out through June. There is a suspicion though that some properties may have been infected with malware since March 2015.
The hack essentially targeted food & beverage outlets in the hotels.
Once HEI discovered the breach, payment card processing was transferred to a stand-alone system apart from the rest of the company’s network, and the malware was removed.
The company is also increasing the security of its network and is working with law enforcement, banks, and credit card companies in order to tighten its security gaps.
Kimpton Hotels & Restaurants (part of InterContinental Hotels Group)
When: July 26, 2016
What happened: After being contacted by data security blog KrebsonSecurity on July 22nd, in response to rumors of a potential breach, Kimpton officials confirmed the company had been targeted by hackers.
At the beginning of September, Kimpton relayed more information about the attack which occurred between 16 February and 7 July 2016. Hackers reportedly used malware to scrape information from guests’ credit cards.
Omni Hotels
When: July 8, 2016
What happened: The Dallas-based hotel company discovered on the 30th of May that a malware attack had targeted credit card information at point-of-sale
systems at various Omni properties during the period between 23 December 2015 and 14 June 2016. The Dallas Morning News reported that Omni officials confirmed 49 properties were affected by the breach and more than 50,000 customer credit and debit cards had been exposed.
Hard Rock Hotel & Casino Las Vegas
When: July 5, 2016
What happened: The Las Vegas resort located a breach in its payment card system on May 13th after investigating reports of fraudulent activity with payment cards used on their property.
Card-scraping malware that targeted hotel guest’s names, card numbers, expiration dates, and verification codes were found at the Hard Rock’s restaurant and retail outlet payment systems. The data breach occurred between 27 October 2015 and 21 March 2016.
The rock-and-roll-themed casino initiated an investigation after receiving reports of fraudulent activity connected with payment cards used at their venue, according to the Notice of Data Breach submitted to the California Attorney General.
Given that this is the second data breach under similar circumstances, it looks as if the clean-up on the first incident didn’t catch everything, the fact that criminals were able to access the payment network a second time using the same previous methods, or managed to find another way in, is showing how little was done following the previous breach.
Trump Hotel Collection
When: April 6, 2016
What happened: According to technology security blog KrebsonSecurity, unnamed sources in the banking industry identified “a pattern of fraud on customer credit cards, which suggests hackers have breached credit card systems at some of the Trump Hotel Collection properties”.
Three separate sources in the financial sector have related patterns of fraud on customer credit cards linked to properties in the Trump Hotel Collection, suggesting the breach could have affected a number of the hotel’s portfolio assets.
Cards that were used at multiple Trump hotel locations between January and March 2016 are particularly under risk.
Specific hotels mentioned include the Trump International Hotel New York, the Trump International Hotel & Tower in Toronto, and Trump Hotel Waikiki in Honolulu.
This is the second event in two years,
Rosen Hotels & Resorts
When: March 4, 2016
What happened: According to a news release, RH&R received reports on February 3rd of unauthorized charges that occurred on payment cards after they had been used by RH&R guests during their stay. The breach may have affected all company properties between September 2nd 2014 and February 18th 2016, according to the release.
Laundry’s Hotels
When: February 11, 2016
What happened: an investigation has been completed following a payment-card breach at more than 300 of the chain’s restaurants, hotels, and casinos.
The company first discovered the breach in December. It took place at the company’s food and beverage outlets, spas, and entertainment locations, the company said.
All six Golden Nugget businesses were affected.
The breached information includes cardholder names, card numbers, expiration dates, and internal verification codes.
Findings from the investigation reveal that skilled hackers were able to install malware on payment card processing devices that lifted the data from the magnetic swipe stripe of payment cards, meaning the hackers installed a program in the company’s systems that captured payment-card information after they were swiped.
Most of the activity took place between May 4, 2014 and March 15, 2015, as well as between May 5, 2015 and Dec. 3, 2015.
2015
Hyatt Hotels Corporation
When: December 23, 2015
What happened: According to a report from Reuters. Company officials announced a malware attack involving payment processing systems was discovered on 30 November.
Hyatt confirmed hackers targeted payment card data from cards used onsite at 250 Hyatt locations, between 13 August 2015 and 8 December 2015.
Hilton
When: November 24, 2015
What happened: According to a letter posted on Hilton’s website, a data security attack affected the payment systems at Hilton properties between the period of November 18th to December 5th 2014, and 21 April to 27 July 2015. The company released a data breach FAQ but did not specify how many guests were affected, nor which properties were targeted.
Starwood Hotels & Resorts Worldwide
When: November 20, 2015
What happened: A malware designed to help cyber thieves steal credit and debit card data was found on point-of-sale cash registers at some of Starwood Hotels & Resorts. The breach started in some locations as early as November 2014, ending sometime in April or May.
After an investigation, it was reported that the malware was designed to collect specific payment card information, such as cardholder name, payment card number, security code, and expiration date. No evidence was found that other customer information, such as contact information, Social Security Numbers or PINs were affected by this issue.
Noble House Hotels and Resorts
When: November 13, 2015
What happened: The breach affected six locations over different time periods, starting December 29 th 2014 through August 11th 2015. The malware which found its way to the payment systems of the affected properties downloaded guest information from the magnetic strip of the credit cards swiped at the location.
Trump Hotel Collection
When: October 5, 2015
What happened: Trump Hotel Collection officials have confirmed that seven of the company’s properties suffered a data breach where customer credit and debit card numbers might have been stolen. The breach apparently occurred due to “unauthorized malware access” to front-desk payment card systems between May 2014 and June 2015. Gift shops and hotel restaurants were also hacked.
The affected properties included two hotels in New York, along with properties in Miami, Chicago, Hawaii, Las Vegas, and Toronto. Trump officials said there was no evidence any guest information was removed from their data systems, but all news regarding the incident was released as a precaution.
Mandarin Oriental Hotel Group
When: March 5, 2015
What happened: Mandarin’s credit card system was compromised by malware. Ten properties across the globe were affected between June 18th 2014 and March 12th 2015. After first confirming the breach in March, the company issued an updated release several months later claiming there was no evidence of identity theft or identity fraud among affected guests.
2014
Houstonian Hotel Club & Spa
When: July 8, 2014
What happened: According to The Houston Business Journal, The Houstonian Hotel, Club & Spa had suffered a six-month “malicious software attack” that could have exposed credit card information. Although the hotel could not say for sure how many customers might have been affected, 10,000 guests were notified of the data breach. The attack lasted from December 28, 2013 to June 20, 2014
White Lodging Services Corporation
When: February 3, 2014
What happened: White Lodging reported that point-of-sale systems at 14 of its properties in the U.S. — mostly falling under the Renaissance and Holiday Inn brands — had been breached between March 20 and December 16 of 2013.
The breach originated from the property-management system and point-of-sale systems being affected by malware.
The company launched a review with federal law enforcement officials and initiated a third-party forensic review.
The data breach affected point-of-sales systems at food-and-beverage outlets at 10 White Lodging properties between 3 July 2014 and 6 February 2015.
9 of the 10 affected properties were Marriott brands. This was White Lodging’s second data breach since the beginning of 2014.
2010
HEI Hospitality ( owns and operates a number of hotels, including Marriott-branded hotels.)
When: September 2, 2010
What happened: Point of sale systems used in its restaurants, bars, and gift shops and the information management system used at check-in were illegally accessed and transactions intercepted, exposing the credit card’s number, expiration date, security code, and encoded magstripe data.
The data security attack occurred between March 25th and April 10th in ten of the hotel’s locations simultaneously.
The affected hotels included both Marriott and Starwood brands in California, Michigan, Florida, and others.
2008–2010
Wyndham Worldwide Corporation (Wyndham’s brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge, in addition as Wyndham)
When: On three separate occasions, breaches occurred between April 2008 and January 2010
What happened: Wyndham hotels were hit with data security attacks 3 times between April 2008 and January 2010, which resulted in nearly $11 million in identity fraud damages, according to Reuters.
The Federal Trade Commission pursued action at law against Wyndham in 2012 but both parties settled the case on 9 December 2015, with Wyndham agreeing to an FTC consent order and therefore being absolved of paying any monetary damages.
The FTC wanted to carry Wyndham in control of breaches in 2008 and 2009 during which hackers broke into its ADP system and stole MasterCard and other details from customers, resulting in quite $10.6 million in fraudulent charges.
