Patrons of at least six upscale hotels are affected by HEI Hospitality breach
|
Date Reported:
9/2/10
Organization:
HEI Hospitality LLC
Contractor/Consultant/Branch:
Algonquin Hotel
Starwood Hotels & Resorts Worldwide, Inc.
Sheraton Crystal City Hotel
The Westin Minneapolis
The Equinox, a Luxury Collection Golf Resort & Spa
Sheraton Music City Hotel
The Westin St. Louis
Location:
Undisclosed
Victims:
Customers
Number Affected:
Undisclosed*
*The breach notification letter mentions "approximately 14 New Hampshire residents", but does not mention the number affected in other states of residence.
Types of Data:
"credit card information" "credit card type, credit card number, expiration date, security code and information encoded on the magnetic stripe on the back of the card" It is also assumed (by me) that debit cards are involved.
Breach Description:
HEI Hospitality LLC (a private real estate investment group holding at least 36 commercial hotel properties) has notified the New Hampshire Attorney General of a breach affecting customers who used credit cards (and debit cards) at some of their hotel properties. The breach resulted from a suspected exploit of a vulnerability found in point-of-sale (POS) systems used by the organization.
Reference URL:
The New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire Attorney General
Response:
From the online source cited above:
I am writing to inform you about a potential security breach regarding personal information held by HEI.
Based on HEI's investigation to date, it has determined a vulnerability in an information system at certain of its hotel properties may have been exploited, and credit card information related to certain transactions occurring between March 25 and April 17, 2010 may have been compromised.
[Evan] We don't know (from the AG reporting) what the vulnerability was. Was it a technical vulnerability such as a misconfiguration or software bug (for which a patch was available)? Was it a physical vulnerability? Maybe it was an administrative vulnerability where a username and password were disclosed. We can only speculate.
HEI takes privacy and security matters very seriously.
[Evan] Who would claim otherwise?
Upon learning of the incident, HEI initiated an investigation and retained an outside information security firm to investigate the nature and extent of the incident and improve HEI's system security to prevent a similar incident form occurring in the future.
HEI sent the attached notice to individuals whose information may have been compromised.
The notice describes, among other things: (1) the general nature of the incident; (2) the type of personal information that was the subject of the possible security breach; (3) steps that HEI has taken to prevent further misuse of the data; (4) steps the affected individuals can take to protect themselves against identity theft; (5) contact information for inquiries; and (6) information regarding free credit monitoring services that HEI has procured on their behalf.
From the letter to those affected from the Algonquin Hotel (other affected hotels are listed above):
HEI Hospitality LLC ("HEI Hotels & Resorts") owns and operates various hotels, including the Algonquin Hotel.
HEI Hotels & Resorts cares about the privacy and security of personal information that is provided to us by our customers.
We are writing to inform you of a suspected theft of credit card information at the Algonquin Hotel.
We believe the electronic point-of-sale (cash register) and the property management system used at check-in at the Algonquin Hotel was illegally accessed and credit card transactions processed between March 25, 2010 and April 17, 2010 were potentially subject to illegal interception.
[Evan] This leads us to believe that the breach was either technical or administrative in nature. Let's see, possibilities could include a software bug (and perhaps poor patch management), misconfiguration of software and/or devices (poor network, systems, and/or change management), disclosed credentials (poor password and/or awareness management), etc. Again, we only speculate. About the only thing that we do know is that a weakness (vulnerability) was exploited. It's interesting that the breach affected information originating (collected) from multiple locations. This indicates a centralized breach. Why did the breach stop on April 17th?
The point-of-sale systems are used at the restaurants, bars and gift shops at the hotel.
The personal information compromised included some or all of the following information: the credit card type, credit card number, expiration data, security code, and information encoded on the magnetic stripe on the back of the card.
[Evan] Debit cards are not mentioned, but I assume that they too are affected.
We do not have any evidence the information has been further accessed, used or disclosed, or that any individual whose information was accessed has been the subject of an identity theft incident.
Upon learning of this incident we engaged a computer security forensic company to assist us, reported the matter to law enforcement and have taken the necessary steps we believe will avoid a reoccurrence.
[Evan] In my opinion (for what it's worth), HEI did good here. It's important to seek an expert when you need one and you're not one.
We have cooperated fully with law enforcement and the major payment card networks (American Express, Visa, MasterCard, and Discover) have been notified.
We also provided each of the payment card companies with the actual credit card numbers that had been involved in the incident so the payment card companies could take such action as they deemed appropriate to monitor the cards to prevent misuse.
To further protect you, we have engaged a leading provider of credit monitoring products, ConsumerInfo.com, Inc., an Experian company, to provide you with one (1) year of free credit monitoring product that also includes identity theft insurance.
[Evan] If you read some of my other posts, you probably know how I feel about a credit bureau offering credit monitoring and/or protection. Seems like a racket.
Even though HEI Hotels & Resorts has taken these actions to protect you and your information, we nevertheless recommend that you remain vigilant and review your account statements and credit reports regularly.
[Evan] Additionally, cancel all credit/debit card accounts that could be affected and get new ones established. Why wait for something bad to happen?
Please not when a security breach happens, some criminals seek to fraudulently obtain personal information of affected individuals by claiming to be the business experiencing the breach.
We advise you NOT to respond to any requests from entities requesting your sensitive personal information in relation to this breach.
[Evan] Great advice.
We deeply regret this incident has occurred and reaffirm our commitment to protect the personal information you entrust to us.
Commentary:
I made many comments above. Maybe too many ;).
Past Breaches:
Unknown
Posted by Evan Francen at 9/10/2010 10:45 AM 
Categories: Starwood Hotels and Resorts, Unknown, Sheraton Crystal City Hotel, Equinox, Algonquin Hotel, Sheraton Music City Hotel, HEI Hospitality, Westin St. Louis, Westin Minneapolis
Categories: Starwood Hotels and Resorts, Unknown, Sheraton Crystal City Hotel, Equinox, Algonquin Hotel, Sheraton Music City Hotel, HEI Hospitality, Westin St. Louis, Westin Minneapolis
Posts Atom 1.0
Jaikumar Vijayan of Computerworld followed up and reports that 3,400 customers were notified: http://www.computerworld.com/s/article/9184398/Hotel_operator_warns_of_data_breach
And I don't think you made too many comments. You ask aloud why I often think but don't say. :)
Reply to this