Card Thieves Hit Hotel Group Again — Just Before Tokenization Arrives

A group of franchised Marriott hotels appears to have been hit by a payment card breach for the second time in less than a year, Krebs on Security reported — and they did it just months before the hotels will install tokenization on the affected systems.

Multiple financial institutions told security reporter Brian Krebs that they’ve seen fraud on customers’ credit and debit cards that were all recently used at Marriotts operated by White Lodging Services, a hotel management company headquartered in Merrillville, Indiana. Many of the hotels — including those in Austin, Denver, Indianapolis, and Louisville — were also part of a breach that surfaced in January 2014.

In that case, hackers had installed malware on point-of-sale systems in the restaurants and bars of 14 of the company’s hotels about nine months before the breach was discovered. In the latest apparent breach, the stolen payment cards were legitimately used at restaurants and bars in the hotels starting in mid-September 2014, and in each case fraudulent use began after that.

White Lodging spokesperson Kathleen Sebastian told Krebs on Tuesday (Feb. 3) that the company had hired a security firm to investigate the reports, but so far it has found no sign of a compromise. “We have engaged a full forensic audit of the properties in question,” Sebastian wrote by email. “To this date, we have found no identifiable infection that would lead us to believe a breach has occurred. Our investigation is ongoing.”

Sebastian also said that White Lodging has adopted new security measures over the past year, including dual-factor authentication for critical systems, a firewall managed by an outside company, and “various other systems as guided by our third-party cyber security service.”

A Marriott spokesman previously told Krebs that Marriott is almost finished with a project to add tokenization to Marriott hotel point-of-sale systems. (Not surprisingly, he didn’t say whether that was associated with a forthcoming rollout of Apple Pay, which is driving tokenization adoption for many merchants.)

Asked whether White Lodging was also using tokenization, Sebastian said the front-desk systems at all White Lodging-managed Marriotts are fully tokenized, while payment terminals in other parts of the hotel — including restaurants, bars and gift shops — “are transitioning to tokenization and are scheduled to be fully tokenized by the end of the second quarter.”