First it was Target. Then Neimen Marcus notified. Next was Michael’s. Now it is White Lodging’s turn. I’ll simply quote from Brian Kreb’s article:
White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, KrebsOnSecurity has learned.
Earlier this month, multiple sources in the banking industry began sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year. But those sames sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago Denver, Los Angeles, Louisville and Tampa.
Turns out, the common thread among all of those Marriott locations is that they are managed by Merrillville, Indiana-based White Lodging Services Corporation, which bills itself as “a fully-integrated owner, developer and manager of premium brand hotels.” According to the company’s Web site, White Lodging’s property portfolio includes 168 full service hotels in 21 states, with more than 30 restaurants.
White Lodging declined to offer many details, saying in an emailed statement that “an investigation is in progress, and we will provide meaningful information as soon as it becomes available.”
Marriott also issued a statement, noting that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.” The statement continues:
“They are in the midst of the investigation and are in close contact with the banks and credit cards companies. We are working closely with the franchisee as they investigate the matter. Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide. As this impacts customers of Marriott hotels we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.”
Other hotel chains franchised by White Lodging — including Hilton and Starwood Hotels (which owns the Sheraton and Westin brands) — could not be immediately reached for comment.
Sources say the breach appears to have affected mainly restaurants, gift shops and other establishments within hotels managed by White Lodging — not the property management systems that run the hotel front desk computers which handle guests checking in and out. In the case of Marriott, for example, all Marriott establishments operated as a franchise must use Marriott’s property management system. As a result, the breach impacted only those Marriott guests who used their cards at White Lodging-managed gift shops and restaurants.
Folks our Credit Card technology is stone age based. What’s worse is the security regulations regulating these card’s data is even more ancient. Most of the regulations are semi-voluntary. Couple that with no real consequences for the firms involved and fraud is not only common it’s rampant. Until some real consequences for these fraudulent breaches come into effect(such as 5% of the annual GROSS income for the breached entity upon the first offense doubling for each subsequent breach over the next 5 years) and this nonsense would stop very quickly. right now free monitoring is simply a cost of doing business for these large firms.