SAN FRANCISCO — US hotel chain Hilton has revealed hackers have infected some of its point-of-sale computer systems with malware crafted to steal credit card information.
Hilton would not say on Tuesday whether data was taken, but advised anyone who used payment cards at Hilton Worldwide hotels from November 18 to December 5 last year or April 21 to July 27 this year to watch for irregular activity on credit or debit card accounts.
Malicious code that infected registers at hotels had the potential to take cardholders’s names along with card numbers, security codes and expiration dates, Hilton said in an online post.
Hilton said it was investigating the breach with third-party forensics experts, law enforcement and payment card companies.
The announcement came four days after Starwood Hotels, which operates the Sheraton and Westin chains, said hackers had infected payment systems in some of its establishments, potentially leaking customer credit card data.
The hack occurred at a “limited number” of its hotels in North America, according to Starwood.
An investigation by forensic experts concluded that malware was detected in some restaurants, gift shops and other points of sale systems at hotels, Starwood said.
“The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date,” the group said in a statement.
The cyber attacks on Hilton and Starwood sounded similar to one disclosed last month by Trump Hotel Collection.
“We believe that there may have been unauthorised malware access to some of the computers that host our front desk terminals and payment card terminals in our restaurants, gift shops and other point-of-sale purchase locations at some hotels,” Trump Hotel Collection said.
The access may have taken place between May 19 last year and June 2 this year, according to Trump hotels. An independent forensic investigation did not turn up evidence that customer information was removed, it said.
Data targeted by the malware appeared to include account numbers, card expiration dates and security codes.
Cyber threats blogger Brian Krebs at KrebsonSecurity.com described the infiltration of Trump payment systems as “just the latest in a long string of credit card breaches involving hotel brands, restaurants and retail establishments”. He blamed slow adoption in the US of encrypted chip technology on payment cards that provide more protection for data than does magnetic strips.