If you’ve used your credit card at a Starwood hotel in the past year you might be at risk for identity theft. In this case, the attack was centered on the point-of-sale systems at various hotels, though it doesn’t appear that the reservation system was compromised.
Krebs on Security warns of the data breach, and quotes a Starwood hotels representative:
“We have no indication at this time that our guest reservation or Starwood Preferred Guest membership systems were impacted,” Starwood President Sergio Rivera wrote in a letter to affected customers. “The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date. There is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue.”
I spent a number of years working in the hotel industry and was consistently amazed at how lax some properties were at protecting customer data. In some hotels, there would be file boxes of credit card slips with carbon copies of customer credit cards (back in the day when such things existed). More recently, I’ve seen plenty of instances where hotel staff write credit card data down on slips of paper and leave them in stacks near registers.
It appears the attackers tackled less secure systems in restaurants and gift shops. Starwood has arranged for identity theft monitoring for those affected:
In addition, we have arranged with AllClear ID to offer identity protection and credit monitoring services to affected Starwood customers for one year at no cost to them.
Starwood has published a list of hotels that were compromised and how long they believe the compromise lasted. I’ve included a copy of the list in two images below.