On Friday, Hei Hotels and Resorts (HEI) announced data breaches that affected 20 properties in 11 states. According to the company's breach notice, hackers installed malware within the company's payment processing systems to collect customers' payment data.
The payment information stolen included the names, payment card account numbers, card expiration dates, and verification codes of customers who used their payment cards at point-of-sale terminals. The list of hotels by state:
|State||City & Property|
|California||La Jolla: San Diego Marriott La Jolla
Pasadena: The Westin Pasadena
San Diego: Renaissance San Diego Downtown Hotel
San Francisco: Le Meridien San Francisco
Santa Barbara: Hyatt Centri Santa Barbara
|Colorado||Snowmass Village: The Westin Snowmass Resort|
|District of Columbia||Washington: The Westin Washington DC City Center|
|Florida||Boca Raton: Boca Raton Marriott at Boca Center
Fort Lauderdale: The Westin Fort Lauderdale
Miami: Royal Palm South Beach Miami
Tampa: InterContinental Tampa Bay
|Illinois||Chicago: Hotel Chicago Downtown|
|Minnesota||Minneapolis: The Hotel Minneapolis Autograph Collection
Minneapolis: The Westin Minneapolis
|Pennsylvania||Philadelphia: The Westin Philadelphia|
|Tennessee||Nashville: Sheraton Music City Hotel|
|Texas||Fort Worth: Dallas Fort Worth Marriott Hotel & Golf Club|
|Vermont||Manchester Village; Equinox Resort Golf Resort & Spa|
|Virginia||Arlington: Le Meridien Arlington
Arlington: Sheraton Pentagon City
The exact date of the breaches varied by property. Some breaches occurred as early as March, 2015 while others continued until as recent as June 17, 2016. A card processor notified HEI of the breach. The HEI breach notice stated:
"We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network. In addition, we have disabled the malware and are in the process of re configuring various components of our network and payment systems to enhance the security of these systems. We have contacted law enforcement and will continue to cooperate with their investigation. We are also coordinating with the banks and payment card companies. While we are continuing to review and enhance our security measures, the incident has now been contained and customers can safely use payment cards at all HEI properties."
HEI is notifying affected customers and consumers that may have been affected:
"... We recommend that customers review credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed. We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward. If they see anything they do not understand or that looks suspicious, or if they suspect that any fraudulent transactions have taken place, customers should immediately notify the issuer of the credit or debit card. In instances of payment card fraud, it is important to note that federal laws and cardholder policies may limit cardholders’ responsibility for fraudulent activity; we therefore recommend reporting any suspicious activity in a timely fashion to the bank that issued the card..."
The HEI breach notice contains more information for affected consumers to review their credit reports, place Fraud Alerts, and place Credit Freezes.
HEI appears to have been caught unprepared. It did not detect the intrusion, and its breach notice did not arrange for any free credit monitoring for affected consumers. Hopefully, more information is forthcoming.
If you received a breach notice from HEI, what are your opinions of the breach? Of HEI's response so far?