Hilton Hotels have issued a statement confirming rumours that have swirled around for the last couple of months, stating that malware had found its way onto point-of-sale systems and stole payment card information.
That stolen information includes cardholder names, payment card numbers, security codes and expiry dates. However, addresses and PINs have not been exposed.
Right now Hilton doesn’t appear to be sharing any information about how many or which hotel locations may have been affected by the breach, or whether the attack was limited (as was the case in other attacks on hotel chains) to point of sales devices in restaurants and retail outlets, rather than necessarily at the check-in desk. Mark James, Security specialist at IT security firm ESET have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, Security Specialist at IT Security Firm ESET :
What happened?
“Malware these days are becoming more and more sophisticated. They are designed to sit quietly in the background of vulnerable hardware monitoring, copying and sending your very private credit card details off to servers on the internet for many uses including identity theft and credit card fraud. As each of these terminals are used to process your night’s stay before that business trip or vacation that data is skimmed and sent off for the criminals to use as they wish.”
What should Hilton do now?
“Hilton must make sure they keep their customers notified and up to date. They need to review their hardware that handle credit card data and ensure they are using the latest operating systems and also periodically updated and patched with the latest security patches as soon as they are released. Having a good Internet security program that updates regularly is a must to help protect their users’ data. We the public need to know as soon as it happens with a good clear indication of what when and where it happened to enable us to properly protect our finances from future abuse.”
What should customers do?
“If you don’t already, you need to keep a close eye on your bank statements and you may want to consider using a separate credit card for all transactions that may be insecure. If you find anything amiss however small it may seem you need to call your card issuer immediately, they will protect you if you notify them in good time. Be very wary of any “out of the ordinary” emails or phone calls with some validated data asking for more personal information. If in doubt, cancel the affected card and get a new one reissued as soon as possible.”
There have been many hotel breaches recently (Starwood, Trump Hotels etc.) where are the hotels going wrong?
“Hotels must review the hardware and software at these very important gateways, all too often it’s outdated even EOL (End of life) operating systems like windows XP that host these environments that are not having the latest security patches installed. Even newer operating systems if not being updated as soon as patches are available will be vulnerable if no procedures are in place to ensure this happens.”
With the discovery of ever more complex PoS malware (such as ModPos yesterday), are we likely to see more PoS breaches and what can businesses do to protect themselves?
“Yes definitely, companies need to constantly update their software, monitor their network data and have a clear understanding of common and upcoming threats to enable them to combat these modern day attacks. Malware writers are getting more advanced and malware in general is becoming more sophisticated, keeping up to date with modern techniques is a very good way to combat this.”[/su_note][su_box title=”About ESET” style=”noise” box_color=”#336588″]
Since 1987, ESET® has been developing award-winning
