Room Service, You Want Malware?

In a recent finding, assorted large hotels owned and operated by HEI Hotel & Resorts have been victims of malware since 2015. 20 of the company’s hotels were affected, with customer financial data being exposed in a real-time, point-of-sale malware attack. Have you recently stayed at one of these hotels?

A list of the affected establishments, complete with the duration of the attacks, may be found here. It is not currently known how many customers in total were victims of the attack, as many of the victims likely used their credit cards on multiple occasions during their stays.

According to HEI, the malware likely made off with all of the data necessary to steal the card owner’s identity, including their name, account numbers, card expiration dates, and verification codes. Since containing the breach, the company has taken steps to replace their payment system and have contacted law enforcement.

However, since HEI doesn’t retain customer information (which is why the malware captured the data at points of sale) they are unable to reach potentially breached customers. Therefore, customers will need to reach out themselves. There is currently a free number posted for advice, but no credit monitoring yet available for potential victims.

This is not the only point-of-sale issue encountered recently, either. At this year’s Black Hat USA conference, a security researcher presented a device he had created for $6 that could not only duplicate hotel key cards, but also conduct a brute force attack on any door equipped with a card reader, making 48 guesses each minute.

Weston Hecker, the researcher who created the system, also enabled his hand-held device to be capable of inserting keystrokes into a point-of-sale system (like a cash register), using a magstripe reader from a considerably short range--short enough that a “lost cell phone” kept close enough to the device can read and record payment information, among other nefarious functions. This device has the ability to hack a cash register and force the drawer open, shut it down, or connect to malicious websites.

As such attacks get more intricate and widespread, hotels and merchants will need to be on their guard against threats to their IT. Fortunately, SCW has the expertise to protect your systems. For more information, give us a call at (509) 534-1530.