Washington, District of Columbia

HomeDistrict of ColumbiaWashington

Email Jonathan Nace Jonathan Nace on LinkedIn
Jonathan Nace
Jonathan Nace
Attorney • (202) 930-0292

Starwood Hotels Announces Latest Data Breach

Comments Off

Starwood Hotels has announced a data breach of its hotel chains which appears to be a “point of sales” malware attack, and it appears personal and sensitive information including credit card numbers has been lost.

Based on the investigation, we discovered that the point of sale systems at certain Starwood hotels were infected with malware, enabling unauthorized parties to access payment card data of some of our customers. We want you to know that the affected hotels have taken steps to secure customer payment card information, and the malware no longer presents a threat to customers using payment cards at our hotels.

A point of sales attack essentially means that payment information was targeted by the hack.  This information is often stolen, not to be used by the hacker, but to be sold on the deep internet or “dark web.”

Starwood’s notice lists early known information about the attack:

The attack targeted certain point of sale systems at a limited number of Starwood properties in North America. The locations and potential dates of exposure for each affected Starwood property are listed here.

The malware affected certain restaurants, gift shops and other point of sale systems at the relevant Starwood properties. We have no indication at this time that our guest reservation or Starwood Preferred Guest membership systems were impacted.

The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date. There is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue.

As is common with any company that suffers a data breach, the notice downplays the significance of the information lost – amazingly credit card numbers are not troubling – and stresses what information was not collected.

Starwood did provide a link to a pdf file of hotels known to be hit so far.  All of the hotels listed are in North America, and affect chains such as Sheraton, St. Regis, Westin and W Hotels.

It is advised that if you have stayed at one of these hotels that you monitor your credit closely.  It is also advised that if you have stayed at any Starwood hotel in the recent past, you continue to monitor this breach as the extent of any breach typically grows as more information is collected by law enforcement and third party security companies.