An undisclosed number of people who used credit cards at 20 Hyatt, Sheraton, Marriott, Westin and other hotels in 10 states and the District of Columbia may have had their cards compromised as a result of hack of the hotels' payment system.
HEI Hotels & Resorts, which operates just under 60 hotels and resorts under a variety of brands, said that after being notified by its credit card processor of a potential breach, it conducted an internal investigation that found malware on its payment processing systems at the 20 properties . The malware was designed to capture debit and credit card information such as names, card account numbers, card expiration dates and verification codes, as it flowed through the systems.
According to the Norwalk, Connecticut company, the hack potentially affected cards used at point of sale terminals, such as those at the hotels' restaurants and stores, between December 2015 and June 2016. Systems at a few of the affected locations were found to have been infected with the malware as early as March 2015.
Here are the hotels affected:
California
- Hyatt Centric Santa Barbara, 1111 E. Cabrillo Blvd., Santa Barbara, Calif. 93103. Affected dates: 12/26/2015-6/21/2016
- Le Meridien San Francisco, 333 Battery St., San Francisco, Calif. 94111. Dates affected: 3/1/2015-6/7/2015; 12/2/2015-6/8/2016
- Renaissance San Diego Downtown Hotel, 421 W. B St., San Diego, Calif. 92101. Dates affected: 12/26/2015-5/2/2016
- San Diego Marriott La Jolla, 4240 La Jolla Village Dr., La Jolla, Calif. 92037. Dates affected: 12/26/2015--5/2/2016
- The Westin Pasadena,191 N. Los Robles Ave., Pasadena, Calif. 92037. Dates affected: 3/3/2015-5/18/2016
Colorado
- The Westin Snowmass Resort, 100 Elbert Lane, Snowmass Village, Colo. 81615. Dates affected: 12/26/2015-4/10/2016
Florida
- Boca Raton Marriott at Boca Center, 5150 Town Center Cir., Boca Raton, Fla. 33486. Dates affected: 3/1/2015--6/7/2015; 12/15/2015--4/11/2016
- Intercontinental Tampa Bay, 4860 W. Kennedy Blvd., Tampa, Fla. 33609. Dates affected: 3/21/2016--6/15/2016
- Royal Palm South Beach Miami, 1545 Collins Ave., Miami Beach, Fla. 33139. Dates affected: 12/23/2015--6/6/2016
- Westin Fort Lauderdale, 400 Corporate Dr., Fort Lauderdale, Fla. 33334. Dates affected: 1/29/2016--4/13/2016
Illinois
- Hotel Chicago Downtown, 333 N. Dearborn St., Chicago, Ill. 60654. Dates affected: 12/26/2015-4/27/2016
Minnesota
- The Hotel Minneapolis Autograph Collection, 215 4th St. South, Minneapolis, Minn. 55401. Dates affected: 3/1/2015--4/27/2016
- The Westin Minneapolis, 88 South 6th St., Minneapolis, Minn. 55402. Dates affected: 9/2/2015--6/17/2016
Pennsylvania
- The Westin Philadelphia, 99 S. 17th St., Philadelphia, Pa. 19103. Dates affected: 3/10/2016--6/6/2016
Tennessee
- Sheraton Music City Hotel, 777 McGavock Pike, Nashville, Tenn. 37214. Dates affected: 3/1/2015--6/8/2016
Texas
- Dallas Fort Worth Marriott Hotel & Golf Club, 3300 Championship Pkwy., Fort Worth, Texas 76177. Dates affected: 12/26/2015--4/28/2016
Vermont
- Equinox Resort Golf Resort & Spa, 3567 Main St., Manchester Village, Vt. 05254. Dates affected: 12/23/2015--5/4/2016
Virginia
- Le Meridien Arlington, 1121 19th St. N., Arlington, Va. 22209. Dates affected: 12/23/2015--4/28/2016
- Sheraton Pentagon City, 900 S. Orme St., Arlington, Va. 22204. Dates affected: 3/3/2015--6/7/2015; 12/2/2015--6/13/2016
Washington D.C.
- The Westin Washington, D.C. City Center, 1400 M St. NW, Washington, D.C. 20005. Dates affected: 11/15/2015--5/28/2016
Retailers and other companies that deal with large numbers of credit cards have become popular targets for hackers looking to make a quick buck by collecting and selling the information on the internet in bulk. A couple years ago, massive breaches involving the thefts of millions of card numbers at retailers such as Target, Home Depot and Neiman Marcus grabbed headlines. And in in Target's case, its breach ultimate led to the departure of its CEO.
Among the hotel chains, Hilton Worldwide, Trump Hotel Collection and Starwood Hotels & Resorts have all confirmed POS system breaches within the past year or so. More recently, fast food chains Wendy's and Cici's Pizza acknowledged breaches of their systems in the past few months.
Yet the black market value of credit card numbers has tumbled, largely as a result of better fraud prevention technology that allows banks to spot and stop bad transactions faster. As a result, many thieves have moved on to target more lucrative information such as health care data.
HEI said in its notice to consumers that once it found out about the breach of its systems it transitioned payment card processing to a stand-alone system that's completely separate from the rest of its network. It disabled the malware and is in the process of reconfiguring various components of its network and payment systems to make them more secure.
The company said in its statement that it's continuing to cooperate with the law enforcement investigation and coordinating with banks and payment card companies. It added that the breach has been contained and customers can safely use cards at all of its properties. HEI officials didn't immediately return a call seeking additional comment.
HEI advised anyone who used a card at the hotels in question during the given time frame to review their account statements and look for discrepancies or unusual activity, both over the past several months and going forward. Customers who notice anything out of place should contact their card issuer.
As with any breach, consumers are not liable for fraudulent charges on their credit cards. And once a breach such as this is disclosed, as a precaution, banks will often automatically issue new cards to any of their customers that potentially could be affected.