Suspected POS data breach at Trump, Hilton hotels

A suspected data breach of point-of-sale systems at Hilton Hotels properties and franchised locations is being investigated. The Trump Hotel Collection also confirmed that IT security has been compromised at seven of its properties.

A pattern of credit card fraud first identified in August has been traced to POS registers in gift shops, coffee bars and restaurants of the Hilton brands hotels, as well as its Doubletree, Embassy Suites, Hampton Inn, and Waldorf Astoria Hotels and Resorts locations. Security expert Brian Krebs, writing in his Krebs on Security blog, said sources at five different banks have confirmed the breach.

Retail breaches like this have been rare recently. Whether there will be an increase in the fourth quarter bears watching.

The Hilton fraud was initially reported in August in confidential alerts from Visa to a number of financial institutions. The company said there was a breach at a brick-and-mortar entity from April 21 to July 27, 2015. The alerts reported the card numbers that were compromised, but did not reveal the name of the breached entity. The breach, which did not affect the guest reservation and room payment systems, was later revealed to be the Hilton operations, Krebs said.

"Hilton Worldwide is strongly committed to protecting our customers' credit card information," the company said in a statement. "We have many systems in place and work with some of the top experts in the field to address data security. Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today's marketplace. We take any potential issue very seriously, and we are looking into this matter."

Seven properties of the Trump Hotel Collection's had POS systems that were infected by malware for more than a year, according to Bank Info Security. The suspected breach has affected an unspecified number of the hotels' guests.

James Socas, executive chairman at iSheriff, told FierceRetailIT of the Trump breach. "Today's news from Trump Hotels, following up on last week's news from Hilton, is yet another attack targeting the Achilles heel of hospitality cyber defenses, the point-of-sale device. Cybercriminals are exploiting vulnerabilities at companies handling the largest volume of payment card transactions, and as one of the largest, global hotel chains, Trump Hotels is on their list," he said.

With POS devices handling most of the payment card transactions around the world, these systems cannot be a security afterthought because they are in the cross-hairs of today's cybercriminals, Socas said.

"POS devices offer a very compelling return on investment, with widespread application in inventory management, initiating loyalty programs, printing bills and payments. Given today's growing security threat landscape, it's a critical time for businesses to examine and enhance POS security capabilities," he said. "Trump Hotels needs to immediately review their security policies and in particular, what they have in place to make POS endpoints much more secure. Each POS device is a gold mine of payment card and personal data, and it could be months and millions of dollars of transactions before a breach is detected."

As for a connection between the breaches at the two hotel chains, Socas said it is still too early to tell. "It is fairly common for attackers to find vulnerability in a device, and to use that vulnerability across multiple targets," he said. "The time for businesses to look at implementing protection for not just their POS devices, but for their entire organization as a whole is now."

"As an organization that sees the attacks that networks and POS devices face on a second-to-second basis, we are acutely aware of the need to implement protection before a breach occurs," Socas said. "It is much more cost effective to proactively implement protection now than it is to pay for costs of a breach later. For large enterprises, the costs of such a breach can cost millions, for a medium-sized businesses a breach such as this could severely impact and even bankrupt the company."

This news breaks shortly before the October fraud liability shift deadline for EMV chip cards, which signals the official transition to the new payment system; however, many retailers, banks and consumers are not ready for it. The deadline, pegged to Oct. 1, is when the liability for card fraud will shift from the issuers to whichever entity is least prepared for EMV, whether the retailer or the financial institution

The new technology protects merchants and consumers from conventional data breaches because cards don't share account data or personal information through the POS system, according to the Cleveland Plain Dealer.

For more:
-See this Krebs on Security blog post
-See this Cleveland Plain Dealer article
-See this Bank Info Security article
-See this iSheriff white paper

Related stories:
Ready or not, it's time to bring up the curtain on EMV
Data breaches worry retailers, but only 44% will be ready for EMV
Don't let EMV be a missed opportunity
Target, MasterCard near new settlement of 2013 data breach
Retail cyberattacks drop 50% in 2014