It’s the latest in the wave of cyber attacks to hit American businesses.
Guests at some hotels managed by White Lodging Services Corporation – which include such brands as Marriott, Holiday Inn, and Sheraton – may have had their credit and debit card information stolen in a data breach that went on for most of 2013.
According to KrebsonSecurity, unnamed sources in the banking industry connected fraud involving hundreds of credit cards to a number of Marriott hotels managed by White Lodging. The company, which manages 168 hotels in 21 states, said the food and beverage outlets at 14 hotels were affected by the data breach. White Lodging would not estimate how many credit card numbers might have been taken.
Hacker’ Favorite Targets: Hotels, Retail Stores And Restaurants
The online attack against White Lodging is the latest example of why hotels are a favorite target of cyber thieves: Hotels are vulnerable because they process a large volume of credit and debit cards payments and their focus is on customer service, not on protecting guests’ sensitive information. According to the 2013 Trustwave Global Security Report, the places most often targeted by cyber thieves are hotels, retail stores, bars and restaurants. Those industries were targets in 78% of all data breaches.
FBI Warning: Expect More Credit Card Breaches
In late January, in the wake of the Target and Neiman Marcus credit card breaches, the FBI issued a warning to expect more malware attacks that infect point of sale Point of Sale systems. According to Reuters, the FBI sent a confidential report to retailers describing POS malware attacks that capture credit card information as it is swiped at the terminal. This is how it works: Memory scraping malware captures normally encrypted credit card data during the brief time it exists in plaintext so payments can be authorized. Compromising a single POS system can yield information on thousands of credit cards per week at a very low cost. That’s what makes it so attractive to cyber thieves. The FBI said one type of POS malware has been offered for sale for as much as $6000 in a well-known underground cybercrime forum.
FTC Urges Congress to Pass Data Security Law
In addition to federal and state investigations, at least three congressional panels held hearings last week on consumer data theft. FTC Commissioner Edith Ramirez told the Senate Judiciary Committee the Federal Trade Commission wants a strong federal data security and breach notification law to protect consumers’ sensitive information online. “Never has the need for legislation been greater,” Ramirez said.
“With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, Congress needs to act.”
According to the new Javelin Strategy & Research Identity Fraud Report, one in three consumers who received a notification of a data breach in 2013 discovered they were victims of identity theft – and their stolen information was used to commit fraud.