Timeline: The growing number of hotel data breaches
 
Timeline: The growing number of hotel data breaches
30 NOVEMBER 2018 10:05 AM

Editor’s Note: This timeline has been updated to include data breaches confirmed in 2018 by Marriott International, Radisson Hotel Group and Huazhu Hotels Group.

GLOBAL REPORT—Hackers continue to target the hospitality industry with sophisticated attacks on secured data. More than a dozen data breaches have been reported by hotels since 2010, affecting everything from major multinational corporations to single properties.

Here is a roundup of the widely reported data security attacks on the hotel industry since 2010. This list will be updated as more breaches are confirmed.

2018

Marriott International

When: Announced 30 November

What happened: Marriott officials issued a news release stating it received an alert on 19 November that hackers had attempted to access its Starwood Hotels & Resorts Worldwide guest reservation database on 8 September. Further investigation revealed unauthorized access to the system as far back as 2014, a year before Marriott announced its intentions to acquire Starwood.

Marriott estimates approximately 500 million guests who made a reservation at a Starwood property since 2014 might have had their information at risk, including 327 million guests whose data includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.” Marriott also confirmed some compromised guest data includes payment card numbers and expiration dates.

Radisson Hotel Group

When: Announced 2 November

What happened: Radisson identified a data breach in its Radisson Rewards database, which affected “a small percentage of our Radisson Rewards members,” according to a news release issued by the company.

According to Radisson’s security investigation, no payment card or password information was compromised as part of the breach, which was “restricted to member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flyer numbers on file.”

Huazhu Hotels Group

When: Reported 28 August

What happened: Reuters was one of several media outlets to report Chinese police were investigating a possible data breach at Huazhu Hotels Group after being alerted to the leak through social media. Technode reports the leak affected 130 million customers. The Straits Times, citing China’s state news agency Xinhua, reported more than 500 million pieces of guest-related information were compromised across 13 Huazhu hotel brands, including name, cellphone number, login credentials, addresses, date of birth, credit card numbers and room numbers. No timeframe of the breach was reported.

Huazhu issued two news releases regarding the security incident in September. The first reassured its commitment to consumer protection and privacy, while the second gave additional details on the progress of the police investigation, including the arrest of suspects linked to the hack and whose attempted sale of consumer data “was not successful.”

2017

Hilton

On 1 November, BBC News reported Hilton was fined $700,000 for mishandling data breaches in 2014 and 2015. The company discovered the first breach in February 2015 and the second in July 2015, but first went public with the breaches in November 2015. U.S. federal investigators said Hilton “had taken too long to warn customers and had lacked adequate security measures.”

Hyatt Hotels Corporation

When: Announced 12 October

What happened: According to a report from Reuters, Hyatt discovered a data breach into guest payment card information at 41 corporate-managed properties across 11 countries. The breach exposed the properties between 18 March and 2 July. Of the affected hotels, 18 were in China. This was Hyatt’s first major breach since December 2015.

Hyatt Centric The Loop Chicago

When: Announced 4 August

What happened: Integrated Clark Monroe and Interstate Management Company, the owner and management company, respectively, of the Hyatt Centric The Loop Chicago in Chicago, notified guests it had removed “suspicious software from the front-desk computer system” that possibly targeted and exposed payment card information used by guests during check-in at the property between 27 September 2016 and 28 April 2017. Both companies confirmed in a news release that the threat was limited to the property and did not reach Hyatt’s or Interstate’s systems.

Galt House Hotel

When: Announced 26 July

What happened: The Louisville, Kentucky property learned on 26 June that malware had been installed on its credit card readers that targeted cardholder names, account numbers, expiration dates and verification codes. The hotel confirmed in a news release that guests who used their cards on-property between 21 December 2016 and 11 April 2017 might have been at risk.

Sabre Hospitality Solutions

When: Announced starting 6 July

What happened: Multiple hotel companies, including Hard Rock Hotels & Casinos, Four Seasons Hotels and Resorts, Trump Hotels, Loews Hotels, Kimpton Hotels & Restaurants, RLH Corporation and Club Quarter Hotels reported a data breach via a third-party reservations system provided by Sabre Hospitality Solutions. Sabre notified the companies in June of the breach, which granted unauthorized access to credit card information and some reservation information between August 2016 and March 2017. The Roosevelt Hotel in New York City later reported, on 14 August, that it also had been affected by the Sabre breach.

Hard Rock reported 11 properties in the U.S., Mexico and Caribbean regions were affected by the breach. Trump Hotels reported 14 properties in the U.S., United Kingdom, Ireland, Canada and South America were affected by the breach. Loews Hotels notified guests that 21 properties in the U.S. and Canada were affected by the data breach.

Four Seasons did not provide a list of properties affected but specified in a news release that “reservations made on Fourseasons.com, with Four Seasons’ Worldwide Reservations Office, or made directly with any of Four Seasons’ 105 hotels or resorts were not compromised by this incident.”

RLHC confirmed the Sabre breach potentially affected reservations made at eight of the company’s brands, including: Americas Best Value Inn, Canadas Best Value Inn, Jameson, Lexington, Signature Inn, Country Hearth, 3 Palms and Americas Best Inns & Suites. Guests who booked with its other brands—Hotel RL, Red Lion Hotels, Red Lion Inn & Suites, Settle Inn Extended Stay and GuestHouse—were not at risk from the breach, according to the company.

Sabre Hospitality Solutions

When: Announced starting 6 July

What happened: Multiple hotel companies, including Hard Rock Hotels & Casinos, Four Seasons Hotels and Resorts, Trump Hotels and Loews Hotels, reported a data breach via a third-party reservations system provided by Sabre Hospitality Solutions. Sabre notified the companies in June of the breach, which granted unauthorized access to credit card information and some reservation information between August 2016 and March 2017.

Hard Rock reported 11 properties in the U.S., Mexico and Caribbean regions were affected by the breach. Trump Hotels reported 14 properties in the U.S., United Kingdom, Ireland, Canada and South America were affected by the breach. Loews Hotels notified guests that 21 properties in the U.S. and Canada were affected by the data breach.

Four Seasons did not provide a list of properties affected but specified in a news release that “reservations made on Fourseasons.com, with Four Seasons’ Worldwide Reservations Office, or made directly with any of Four Seasons’ 105 hotels or resorts were not compromised by this incident.”

InterContinental Hotels Group

When: First announced 3 February, updated in April

What happened: IHG’s Americas division confirmed food-and-beverage outlets at 12 U.S. hotels were hit by a data breach between 1 August and 20 December 2016, according to a news release. Company officials said malware was installed on the servers of payment card processers of restaurants at IHG-managed hotels in the U.S. and Canada.

Then, in April, data security blog KrebsonSecurity reported the breadth of IHG’s credit card breach had extended from 12 properties to more than 1,000 hotels in the U.S. and Puerto Rico. “According to a statement released by IHG, the investigation ‘identified signs of the operation of malware designed to access payment card data from cards used on-site at front desks at certain IHG-branded franchise locations between 29 September 2016 and 29 December 2016,” the news site reported.

The InterContinental Toronto Yorkville was one of the 12 IHG-managed properties affected by a data breach that was announced 3 February. Guests who used credit cards at F&B outlets at InterContinental Toronto Yorkville between 1 August and 28 November may be at risk. (Photo: InterContinental Hotels Group)

2016

Hutton Hotel

When: Announced 5 September

What happened: The Nashville hotel notified customers of a data breach that could have affected guests who booked a stay at the property between 19 September 2012 and 16 April 2015. Point-of-sales systems at the Hutton were also targeted for a majority of that time period and also between 12 August 2015 and 10 June 2016.

Noble House Hotels & Resorts

When: Announced 2 September

What happened: The Kirkland, Washington-based hotel company initiated an investigation that found malware at nine U.S. properties that put guest credit card data at risk between 25 April and 3 August 2016. This data breach was the second in two years reported by Noble House; the company previously notified customers of a separate attack on 13 November 2015.

Millennium Hotels & Resorts

When: Announced 26 August

What happened: Millennium’s North America office based in Boulder, Colorado, notified customers that 14 U.S. hotels in the company’s portfolio were hit with a data security attack between early March and mid-June 2016. Hackers targeted F&B point-of-sales systems but did not infiltrate Millennium’s property management or booking systems, according to a news release.

Kimpton Hotels & Restaurants

When: Announced 26 July

What happened: After being contacted by data security blog KrebsonSecurity in response to rumors of a potential breach, Kimpton officials confirmed the company had been targeted by hackers by releasing a statement on its website. At the end of August, Kimpton relayed more information about the attack, which reportedly occurred between 16 February and 7 July 2016. Hackers reportedly used malware to scrape information from guest credit cards.

Omni Hotels & Resorts

When: Announced 8 July

What happened: The Dallas-based hotel company discovered on 30 May that a malware attack had targeted credit card information at point-of-sales systems at various Omni properties between 23 December 2015 and 14 June 2016, according to a letter to guests posted on the company’s website. The Dallas Morning News reported Omni officials confirmed “more than 50,000 customer credit and debit cards” at 49 properties were affected by the breach.

2016

Hard Rock Hotel & Casino Las Vegas

When: Announced 5 July

What happened: The Las Vegas resort discovered a breach in its payment card system on 13 May after investigating reports of fraudulent activity with payment cards used at the property, according to a company news release.

Card-scraping malware that targeted cardholder names, card numbers, expiration dates and verification codes was found at the Hard Rock’s restaurant and retail outlet payment systems. Guests who stayed at the resort between 27 October 2015 and 21 March 2016 could have been affected.

Trump Hotel Collection

When: Announced 4 April

What happened: According to technology security blog KrebsonSecurity, unnamed sources identified “a pattern of fraud on customer credit cards, which suggests hackers have breached credit card systems at some—if not all—of the Trump Hotel Collection properties.” Dates of the breach and properties affected have not yet been specified.

Trump officials released a statement to HNN attributed to Eric Trump, EVP of development and acquisitions for The Trump Organization, who said the company is investigating the breach with law enforcement and is “committed to safeguarding all guests’ personal information and will continue to do so vigilantly.” 


Rosen Hotels & Resorts

When: Announced 4 March

What happened: According to a news release from Orlando, Florida-based Rosen Hotels & Resorts, the company was told on 3 February that guests who had stayed at Rosen properties were notified of unauthorized credit card charges. The breach may have affected all company properties between 2 September 2014 and 18 February 2016, according to the release. The company has seven Florida hotels in its portfolio, including six in Orlando. 


2015

Hyatt Hotels Corporation

When: Announced 23 December

What happened: Hyatt announced a data breach that occurred on 30 November 2015, but few details were released at the time. On 15 January 2016, Hyatt officials confirmed hackers targeted payment card data from cards used onsite at 250 Hyatt locations, primarily restaurants, between 13 August 2015 and 8 December 2015. 

The Hyatt Regency Buffalo/Hotel and Conference Center in Buffalo, New York, was one of the 250 Hyatt properties hit during a data breach between 13 August 2015 and 8 December 2015. (Photo: Hyatt Hotels Corporation)

Hilton

When: Announced 24 November

What happened: According to a letter posted on Hilton’s website and written by EVP of global brands Jim Holthouser, a data security attack affected payment systems at Hilton properties from 18 November to 5 December 2014 and 21 April to 27 July 2015. The company released a data breach FAQ but did not specify how many guests were affected. Hilton officials did not specify which properties that were targeted. 


Starwood Hotels & Resorts Worldwide

When: Announced 20 November

What happened: According to a company news release, point-of-sale systems at more than 70 Starwood properties in North America were infected with malware. The affected dates varied by properties, but all told, the attack on the company occurred between 7 November 2014 and 30 June 2015. Officials said guest reservation and loyalty systems were not affected in the attack.


Noble House Hotels and Resorts

When: Announced 13 November

What happened: The breach affected six properties in Florida, California, Colorado and Washington over different time periods, starting 29 December 2014 through 11 August 2015 according to a Noble news release. Malware installed on payment systems at the affected properties downloaded guest information from the magnetic strip on credit cards. 

Guests who stayed at the Mountain Lodge Telluride in Telluride, Colorado, between 29 December 2014 and 27 May 2015 were at risk of credit card fraud as Noble House Hotels and Resorts experienced a data breach at six properties between December 2014 and August 2015. (Photo: Mountain Lodge Telluride)
Trump Hotel Collection

When: Announced 5 October

What happened: Hackers targeted guest credit card information at seven Trump hotels between 19 May 2014 and 2 June 2015, according to the New York-based company. The affected properties included two hotels in New York, along with properties in Miami, Chicago, Hawaii, Las Vegas and Toronto. Trump officials said there was no evidence any guest information was removed from their data systems, but all news regarding the incident was released as a precaution.


Mandarin Oriental Hotel Group

When: Announced 5 March

What happened: Mandarin’s credit card system was compromised by malware. Ten properties across the globe were affected between 18 June 2014 and 12 March 2015. After first confirming the breach in March, the company issued a news release several months later that claimed there was no evidence of identity fraud among affected guests.


White Lodging Services Corporation

When: Announced 5 February, more details released 8 April

What happened: The data breach affected point-of-sales systems at food-and-beverage outlets at 10 White Lodging properties between 3 July 2014 and 6 February 2015. Nine of the 10 affected properties were Marriott brands. This was White Lodging’s second data breach since the beginning of 2014. 

The Louisville Marriott Downtown was one of 10 White Lodging Service Corporation properties affected by a data security breach between 3 July 2014 and 6 February 2015. (Photo: Louisville Marriott Downtown)

2014

Houstonian Hotel Club & Spa

When: First reported 8 July

What happened: According The Houston Chronicle, it was not known how many customers or transactions at the property’s payment systems were affected, but approximately 10,000 customers between 28 December 2013 and 20 June 2014 were at risk of identity fraud.


White Lodging Services Corporation

When: Announced 3 February

What happened: White Lodging reported that point-of-sale systems at 14 of its properties in the U.S.—mostly falling under the , Renaissance and Holiday Inn brands—had been breached between 20 March and 16 December of 2013. In most instances, F&B point-of-sale systems were affected, but in one case a hotel’s property-management system was also affected. The company launched a review with federal law enforcement officials and initiated a third-party forensic review.


2010

HEI Hospitality

When: Announced 2 September

What happened: The data security attack targeted guest credit card transactions made at 10 HEI hotels between 25 March and 10 April. The affected hotels included both Marriott and Starwood brands in California, Michigan, Florida and others.


Westin Bonaventure Hotel and Suites in Los Angeles

When: Announced 8 March

What happened: Hackers targeted guest credit card information at the Los Angeles hotel’s four restaurants and valet services between April and December 2009. 


Wyndham Worldwide Corporation

When: Three separate breaches between April 2008 and January 2010

What happened: Wyndham hotels were hit with data security attacks three times between April 2008 and January 2010, which resulted in nearly $11 million in identity fraud, according to Reuters. The Federal Trade Commission pursued legal action against Wyndham in 2012 but both parties settled the case on 9 December 2015, with Wyndham agreeing to an FTC consent order and the company was absolved of paying any monetary damages.

 

Compiled by Dan Kubacki.

No Comments

Comments that include blatant advertisements or links to products or company websites will be removed to avoid instances of spam. Also, comments that include profanity, lewdness, personal attacks, solicitations or advertising, or other similarly inappropriate or offensive comments or material will be removed from the site. You are fully responsible for the content you post. The opinions expressed in comments do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Please report any violations to our editorial staff.