The long sorted list of companies that have had their payment systems has added a new victim to it’s ranks. This past Friday the upscale Hutton Hotel, a stones throw from Vanderbilt University in Nashville, disclosed that their payment processing systems in their hotel had been compromised by ne’er do wells.
I think we have arrived at the point where companies that have payment systems that have not been reviewed should assume that they’re compromised until proven otherwise. A dour assessment of things. But, when you consider that companies like Hard Rock, Target and even Trump Hotels (twice) suffered similar compromises it really leads one to assume that this is an activity required for any information security team. If you are responsible for a payment
From data breach disclosure:
The program could have affected payment card data—including cardholder name, payment card account number, card expiration date, and verification code—of guests who used a payment card to pay for or place hotel reservations during the period from September 19, 2012 to April 16, 2015, or who made purchases at the onsite food and beverage outlets from November 15, 2015 to June 10, 2016. Our records show that you used a payment card to pay for or place a hotel reservation at the Hutton Hotel during the relevant period.
That was a long time to have malware skimming card numbers from the network. The customers of the Nashville based hotel are being provided with credit monitoring (as per US law). One almost wonders, with all of the “free” credit monitoring if you could create a secondary resale market. I'm only being partly flippant in this case.
As with each breach that came before them, the Hutton Hotel has engaged an external firm to investigate. The breach was first brought to their attention by their payment processor and they do mention that law enforcement has gotten involved.
So, what can you do? As always, you need to be diligent in keeping an eye on the charges that are showing up on your credit card statements. In an example such as this, the breach lasted for two and a half years. The miscreants in the case were able to install malicious software on the payment processing system at the hotel. The hotel countered that they had now instituted a “stand alone” payment system which causes me to ask more questions than I expected was their intent.
Attackers continue to abuse the digital supply chains of retail and hospitality companies because they can. Until there is a concerted effort to weed out this sort of attack, companies will continue to end up in the papers in a negative light.