More Data Breaches with Starwood and Hilton: What You Can Do

f you have used a credit card at what are known as point of sale systems at certain hotel properties of both Starwood Hotels and Resorts Worldwide, Incorporated and Hilton Worldwide, you might be one of the victims of data breaches which have been reported.

Data breaches are part of a technology problem which is seeming to become more and more prevalent in recent years where nefariously rogue people are trying to get access to sensitive data and steal it to use for their own benefit — specifically, the payment card numbers, expiration dates and security codes of customers — and companies in the travel industry are certainly no exception.

Starwood Data Breach

This official announcement was released by the president of The Americas division of Starwood Hotels and Resorts Worldwide, Incorporated on Friday, November 20, 2015; and it is reproduced below in its entirety.

Dear Starwood Customers:

We recently became aware of a malware intrusion that affected some point of sale systems at a limited number of Starwood hotels in North America. Promptly after discovering the issue, we engaged third-party forensic experts to conduct an extensive investigation. We have been working closely with law enforcement authorities and coordinating our efforts with the payment card organizations to determine the facts. We want to assure you that protecting the security of our customers’ personal information is a top priority for Starwood.

Based on the investigation, we discovered that the point of sale systems at certain Starwood hotels were infected with malware, enabling unauthorized parties to access payment card data of some of our customers. We want you to know that the affected hotels have taken steps to secure customer payment card information, and the malware no longer presents a threat to customers using payment cards at our hotels.

We have determined the following:

  • The attack targeted certain point of sale systems at a limited number of Starwood properties in North America. The locations and potential dates of exposure for each affected Starwood property are listed here.
  • The malware affected certain restaurants, gift shops and other point of sale systems at the relevant Starwood properties. We have no indication at this time that our guest reservation or Starwood Preferred Guest membership systems were impacted.
  • The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date. There is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue.

We sincerely regret any inconvenience this may cause. We take our obligation to safeguard personal information very seriously and are alerting affected customers about this incident so they can take steps to help protect their information. You are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. To order your free credit report, visit www.annualcreditreport.com or call toll-free at 1-877-322-8228. We encourage you to remain vigilant by reviewing your account statements and monitoring your free credit reports. If you believe your payment card may have been affected, please contact your bank or card issuer immediately.

In addition, we have arranged with AllClear ID to offer identity protection and credit monitoring services to affected Starwood customers for one year at no cost to them. The Reference Guide provides information on registration and recommendations by the U.S. Federal Trade Commission on the protection of personal information.

If you have any questions or would like more information, please call 1-855-270-9179 (U.S. and Canada) or 1-512-201-2201 (International), Monday through Saturday, 8:00 am to 8:00 pm CST.

Again, we sincerely apologize for any inconvenience this issue may cause.

Sincerely,

Sergio Rivera
President, The Americas

Affected Starwood Hotel Properties

This is a list of the 54 Starwood Hotels and Resorts Worldwide, Incorporated hotel and resort properties in the United States and Canada which were affected by payment card security issue; and you may want to check to see if the information of the payment card you used was exposed if you stayed at one of the hotel and resort properties:

Hotel Property Location
Start Date
End Date
Le Centre Sheraton Montreal Montréal, Quebec
March 2, 2015
April 6, 2015
Moana Surfrider, A Westin Resort Honolulu, Hawaii February 2, 2015 April 4, 2015
Palace Hotel, San Francisco San Francisco, California
December 25, 2014
April 4, 2015
Sheraton Atlantic City Convention Center Hotel Atlantic City, New Jersey November 7, 2014 May 6, 2015
Sheraton Birmingham Hotel Birmingham, Alabama
March 2, 2015
April 14, 2015
Sheraton Boston Hotel Boston, Massachusetts March 2, 2015 April 9, 2015
Sheraton Dallas Hotel Dallas, Texas
March 2, 2015
April 16, 2015
Sheraton Denver Hotel Denver, Colorado March 2, 2015 May 2, 2015
Sheraton Fairplex Hotel & Conference Center Pomona, California
March 2, 2015
April 13, 2015
Sheraton Grand Sacramento Hotel Sacramento, California March 2, 2015 April 19, 2015
Sheraton Kansas City Hotel at Crown Center Kansas City, Missouri
March 2, 2015
April 16, 2015
Sheraton Maui Resort & Spa Maui, Hawaii November 7, 2014 April 16, 2015
Sheraton New Orleans Hotel New Orleans, Louisiana
November 7, 2014
April 16, 2015
Sheraton New York Times Square Hotel New York, New York
March 2, 2015
May 3, 2015
Sheraton San Diego Hotel & Marina San Diego, California January 3, 2015 March 2, 2015
Sheraton Seattle Hotel Seattle, Washington
March 2, 2015
April 16, 2015
Sheraton Stonebriar Hotel Frisco, Texas March 2, 2015 April 8, 2015
Sheraton Waikiki Honolulu, Hawaii
November 7, 2014
April 8, 2015
Sheraton Wild Horse Pass Resort & Spa Chandler, Arizona March 2, 2015 May 6, 2015
The Phoenician, a Luxury Collection Resort Scottsdale, Arizona
January 23, 2015
April 17, 2015
The St. Regis Bal Harbour Resort Bal Harbour, Florida March 2, 2015 April 16, 2015
The Westin Birmingham Birmingham, Alabama
March 2, 2015
April 7, 2015
The Westin Boston Waterfront Boston, Massachusetts March 2, 2015 April 20, 2015
The Westin Charlotte Charlotte, North Carolina January 6, 2015 April 13, 2015
The Westin Chicago River North Chicago, Illinois March 2, 2015 April 5, 2015
The Westin Cincinnati Cincinnati, Ohio March 2, 2015 June 30, 2015
The Westin Detroit Metropolitan Airport Detroit, Michigan March 2, 2015 April 9, 2015
The Westin Ka`Anapali Ocean Resort Villas Lahaina, Hawaii March 2, 2015 March 26, 2015
The Westin Kansas City at Crown Center Kansas City, Missouri November 7, 2014 April 5, 2015
The Westin Kierland Resort & Spa Scottsdale, Arizona January 22, 2015 April 5, 2015
The Westin Kierland Villas, Scottsdale Scottsdale, Arizona January 20, 2015 January 21, 2015
The Westin La Paloma Resort & Spa Tucson, Arizona March 2, 2015 April 16, 2015
The Westin Lombard Yorktown Center Lombard, Illinois March 2, 2015 April 4, 2015
The Westin Los Angeles Airport Los Angeles, California March 2, 2015 April 4, 2015
The Westin Maui Resort & Spa Maui, Hawaii March 2, 2015 April 8, 2015
The Westin Michigan Avenue Chicago Chicago, Illinois March 2, 2015 May 14, 2015
The Westin Mission Hills Golf Resort & Spa Rancho Mirage, California January 6, 2015 February 10, 2015
The Westin New York at Times Square New York, New York March 2, 2015 April 25, 2015
The Westin New York Grand Central New York, New York March 2, 2015 April 10, 2015
The Westin Phoenix Downtown Phoenix, Arizona January 5, 2015 April 16, 2015
The Westin Princeville Ocean Resort Villas Princeville, Hawaii March 2, 2015 March 26, 2015
The Westin Seattle Seattle, Washington November 7, 2014 April 7, 2015
The Westin South Coast Plaza Costa Mesa, California November 7, 2014 December 3, 2014
The Westin St. Francis San Francisco, California March 2, 2015 April 8, 2015
The Westin Stonebriar Hotel & Golf Club Frisco, Texas November 7, 2014 April 15, 2015
The Westin Waltham Boston Waltham, Massachusetts November 7, 2014 April 20, 2015
W Hoboken Hoboken, New Jersey November 7, 2014 April 15, 2015
W Hollywood Los Angeles, California March 2, 2015 April 6, 2015
W Montreal Montréal, Quebec March 2, 2015 April 6, 2015
W New Orleans – French Quarter New Orleans, Louisiana March 2, 2015 October 23, 2015
W New York – Times Square New York, New York March 2, 2015 March 8, 2015
W Retreat & Spa – Vieques Island Vieques Island, Puerto Rico March 2, 2015 April 13, 2015
W South Beach Miami Beach, Florida January 22, 2015 April 9, 2015
Walt Disney World Dolphin, A Sheraton Hotel Orlando, Florida November 5, 2014 April 13, 2015

Hilton Data Breach

This official announcement was released by a representative of Hilton Worldwide, Incorporated on Tuesday, November 24, 2015; and it is reproduced below in its entirety.

Hilton Worldwide Has Identified and Taken Action to Eradicate Malware

MCLEAN, Va. – Hilton Worldwide (NYSE: HLT) has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems.  Hilton immediately launched an investigation and has further strengthened its systems.

Hilton Worldwide worked closely with third-party forensics experts, law enforcement and payment card companies on this investigation, and determined that specific payment card information was targeted by this malware.  This information includes cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs).

As a precautionary measure, customers may wish to review and monitor their payment card statements if they used a payment card at a Hilton Worldwide hotel over a seventeen-week period, from November 18 to December 5, 2014 or April 21 to July 27, 2015.

Customers generally are not responsible for fraudulent activity on their payment cards, and should contact their financial institution directly if they notice any irregularities.  They can also visit hiltonworldwide.com/guestupdate for more details, including how to receive one year of complimentary credit monitoring.

Hilton Worldwide is strongly committed to protecting customers’ payment card information, and we sincerely regret any inconvenience this may have caused customers.

Contact:
Chris Brooks
hiltonmedia@hilton.com
(571) 395-1474

I have not confirmed at this time as to whether or not the latest security breach reported pertaining to Hilton Worldwide is related to the one on which I reported in this article back on Sunday, 

To my knowledge, Hilton Worldwide has not released a specific list of hotel and resort properties affected by the data breach — supposedly limited to credit card transactions at restaurants and gift shops.

What Can You Do?

Although I have given some extensive advice about what you can do about identity theft and credit card fraud — as well as how to reduce your risk — sometimes it is simply almost impossible to avoid.

Even if one of those aforementioned nefariously rogue people did manage to acquire the credit card number which you used for payment, the worst case scenario is typically that your credit card number will be used fraudulently — and bills start appearing in your name…

…and you can find out if that is actually happening by simply checking your monthly credit card statement vigilantly. If you find any questionable charges, report them to the financial institution which issued the credit card — usually by calling the telephone number on the back of the credit card. At worst, it may be a legitimate charge about which you might have temporarily forgotten or may simply be a legitimate charge listed under a name you may not recognize. At best, you have caught a scammer attempting to use your information fraudulently; and you will have stopped this person sooner.

Financial institutions have been more proactive in preventing fraud from occurring sooner. That happened to me within the past week and I received an e-mail message pertaining to the potential fraud. Not wanting to respond to the e-mail message directly — as it could be spam or an attempt at “phishing” — the financial institution was contacted via telephone; and sure enough, the charges were legitimate but had not posted to the monthly statement as of yet. My credit card was immediately canceled and a new one will be issued and sent to me — and I am not required by law to pay a single cent for the charges not incurred by me if I report the fraudulent purchases within 60 days, as the Fair Credit Billing Act and the Electronic Fund Transfer Act have specific limits on how much money I will lose if my sensitive data is stolen and used fraudulently.

Summary

As we become increasingly dependent on technology for our everyday tasks, our sensitive information becomes more and more vulnerable — and either companies are failing depute their best efforts; or they are just simply not diligent enough in protecting sensitive data.

Either way, I wonder if companies would be more vigilant if they would compensate customers every time their accounts were breached or their sensitive information stolen. If the answer is that they would go broke if that happened, that only further convinces me of the gravity of this technology problem and that better security measures need to be put in place.

These past articles written by me seem to illustrate how serious is this problem of protecting sensitive data from being breached — and it seems that no company is immune:

 

How would you consider fighting these security and data breaches?

Leave a Reply

Your email address will not be published. Required fields are marked *