20 top US hotels hit by new malware attacks

A new group of US hotels has fallen victim to PoS malware that is believed to have exposed private customer financial data.

20 US hotels operated by HEI Hotel & Resorts on behalf of Starwood, Marriott, Hyatt, and Intercontinental may have leaked the financial information of its customers due to malicious malware installed at PoS terminals and systems, including at bars, restaurants, spas, and shops on site. HEI believes that customer data including names, payment card account numbers, card expiration dates, and verification codes may have been captured by the malware.

Hotel properties in cities including San Francisco, Chicago, Arlington, and Washington DC were included in the data breach. Malware was active at different stages depending on the property, but customer data was exposed between 2015 and 2016.

Check out the complete list below:


“We take this matter and the security of personal information very seriously and we will continue to review and enhance our security measures to further secure our systems,” the firm said. “Please accept our sincere regret for any concern or frustration that this incident may cause.”

The breach follows similar attacks launched against Hyatt Hotels, Trump and Starwood Hotels & Resorts which we blogged about here.

Those who have stayed at these resorts will have to contact the hotel operator themselves if they believe their data is being used fraudulently due to the breach, as HEI says not enough information is stored to locate past customers.

Here are some key recommendations from our team of experts for ensuring your POS systems are secure and safe:

  • Keeping POS software up to date and performing vulnerability testing
  • Restrict internet access from POS systems and terminals
  • Monitor POS systems and all data activity
  • Use secure (and consistently updating) passwords and 2-factor authentication
  • End-to-end encryption for all POS data
  • Install firewalls and run anti-malware software
  • Don’t forget about physical security – train employees to be on the lookout for tampering attempts!

Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.

You can find Secure Sense on Facebook,  LinkedIn and Twitter. Follow us for current company and industry news.