Omni Rancho Las Palmas Resort & Spa in CaliforniaOmni Hotels & Resorts warns customers that hackers infiltrated its networks and for six months used point-of-sale malware to siphon off payment card data.
See Also: Vulnerability Management with Analytics and Intelligence
In a July 8 notice posted on its website, the Dallas-based luxury hotel chain said that it first learned of the data breach on May 30; it doesn't say how. Related malware infections began at some properties on Dec. 23, 2015, and lasted up to June 14, the hotel says.
Omni runs 46 properties in the United States, plus two each in Canada and Mexico. Its data breach notification does not detail how many of those properties were hacked or how many customers had their payment card details compromised by attackers.
"The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date," Omni says in its breach notification. "Upon learning of the intrusion, we promptly engaged leading IT investigation and security firms approved by the major credit card companies to determine the facts and contain the intrusion. The issue has been resolved, and we have taken steps to further strengthen our systems. We have contacted law enforcement and are cooperating with its investigation."
Omni Hotels couldn't be immediately reached for comment on which cybersecurity firms it hired or how many customers may have been affected.
But Andrei Barysevich, director of Eastern European research and analysis for Flashpoint - a company that specializes in cybercrime intelligence - tells The Wall Street Journal that related fraud was first spotted in February after a hacker called JokerStash began selling more than 50,000 payment cards stolen from Omni Hotels on underground forums.
Barysevich said Flashpoint has been helping payment card issuers and payment processors investigate the Omni breach. JokerStash regularly works with other hackers, who continue to refine their POS malware, he added. "They have a very sophisticated operation going on," he told the newspaper.
Investigators: Only Payment Cards Compromised
Based on the investigation to date, Omni says the hack attack only appeared to lead to POS malware infections and apparently did not touch any other systems housing customers' personally identifiable information or payment card data. "Accordingly, if you did not physically present your payment card at a point-of-sale system at one of the affected Omni locations, we do not believe your payment card was affected," the notification reads. "Additionally, there is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue."
The company's breach announcement arrives less than two weeks after Omni Hotels announced that it had hired Ken Barnes, an IT executive with extensive experience in the hospitality industry, to serve as its CIO.
Omni didn't immediately respond to a request for comment about whether it previously employed a CIO, and if so, if the departure of that individual was tied to the data breach.
Identity Theft Cleanup Service Offered
Omni Hotels says that potentially affected customers can receive prepaid identity theft cleanup assistance until July 8, 2017, from AllClear ID. That service says it helps identity theft victims clean up any mess that results from their personal details and payment card data having been stolen and used to commit fraud.
As with most data breaches, however, it's largely up to consumers to spot any related fraud and attempt to recover fraudulent charges. While U.S. consumer protection law stipulates that credit-card-holders have a maximum liability of $50 per card - though many issuers waive even that fee - no such protections exist for debit cards.
In addition, breached businesses such as Omni Hotels do not compensate customers for time spent attempting to clean up any related mess.
POS Malware Epidemic Continues
Security experts say that most POS malware infections could be prevented if hotels and retail chains segmented their networks, audited POS devices before deploying them, changed devices' default account names and passwords, and employed monitoring and anti-malware tools (see Why POS Malware Still Works).
Nevertheless, related infections continue. In the past 12 months, for example, a number of hotels have reported POS malware infections - often affecting their check-in systems, as well as restaurants and bars. Victims have included Hilton, Hyatt and Starwood Hotels and Resorts, as well as Trump Hotels, which potentially fell victim to two separate breaches.