Point of Sale Malware at Retail Stores Inside Hilton & Starwood Hotels

The last few weeks have seen several major hotel chains including Starwood Hotels and Hilton Hotels report data breaches targeting the credit card data used at retail outlets inside the hotels. In both cases, Point of Sale (PoS) malware was the attack culprit.

In a letter to Starwood hotel guests and membership rewards participants, President, Sergio Rivera, pinpointed where the malware was discovered: “The malware affected certain restaurants, gift shops and other point of sale systems at the relevant Starwood properties.”

Starwood also revealed that it discovered the malware residing in 54 hotels in the U.S. and one in Montreal, Canada. Some of the hotels listed are in popular vacation destinations including Hawaii, New York City, and Disney World in Orlando.

Similarly for Hilton, several bank sources relayed that PoS malware was being used by attackers in Hilton gift shops and restaurants, according to security journalist Brian Krebs. Hilton has yet to reveal where the malware was discovered or which specific hotels were affected.

The number of customers affected for both hotel brands were not revealed.

The Retail Connection

As explained in our research on retail security, attackers use a variety of malware and attack styles to target PoS systems in order to pilfer magnetic credit card stripe information. The credit card data is then resold on underground sites and forums on the dark web. In our retail report, Chief of Research at Security Scorecard, Alex Heid, detailed Carders are encouraged to post lists of websites that are

Malicious actors found on SecurityScorecard’s Hacker Chatter module show frequent discussion surrounding ‘cardable’ websites, which refers to retailers that can be tricked into processing a stolen card number. Carders are encouraged to post lists of websites that are susceptible to fraud through the use of stolen credit cards, along with detailed instructions as to how to extract goods from their targets. Here is an example of a carding website with information for carders looking for sites to make fraudulent purchases:

Problem Areas for Hilton and Starwood

Within the SecurityScorecard platform, both organizations are showing signs of weakness in several security-risk categories. For Hilton, who has a ‘C’ grade overall, appears to be having issues with employee-based security as the company is showing below average grades for social engineering (D), password exposure (F), and company mentions on hacker chatter forums (F). Hilton is also not faring well in network security (F) and having issues with malware, as its IP reputation grade is weak (D).

Hilton is performing better in other categories including showing no issues with the health of its DNS (A), and is doing well in endpoint security (A) which is a proprietary metric that finds common misconfiguration issues. Hilton is faring average in application security (C) and the cadence of its patching (C).

Starwood appears to be performing a little better than Hilton with an overall grade of a ‘B’. Starwood’s biggest issues appear also to be with employee-based security behavior since their password exposure (F) and social engineering (D) factors are below average. Starwood is also not performing well in network security (F). Starwood is performing at an average level in hacker sites (C), IP reputation ( ), and patching cadence (C); and is performing well in DNS health (A), endpoint security (A), and application security (A).

Hilton and Starwood are by no means the only two hotel companies who have experienced data breaches. This year has seen a rash of publicly reported data breaches at Trump Hotels, Mandarin Oriental, and White Lodging. Online travel website Expedia also experienced a third party data breach that allowed an attacker access to a hotel partner, which we wrote about earlier this year.

“Expedia has been targeted since their inception by the underground seeking to make use of stolen credit cards to purchase flights, hotels, and vacation packages,” said Heid.