The hotel organization said it found malware in payment systems in hotel retail areas such as gift shops and restaurants. The malware infected payment systems since as early as November 2014 but has since been removed.
Starwood Investigates Breach
The company said on its website that it engaged third-party forensic experts to investigate and determined the malware was designed to collect certain payment card information, including cardholder names, payment card numbers, security codes and expiration dates. There is no evidence that other customer information, such as contact information or PINs, was affected. There is also no indication that guest reservation or Starwood Preferred Guest membership systems were impacted.
The hotels have taken steps to secure customer payment card information and the malware no longer presents a threat to customers using payment cards at the hotels.
“Protecting our customers’ information is critically important to Starwood and we take this issue extremely seriously,” said Sergio Rivera, Starwood president for the Americas.
“Quickly after we became aware of the possible issue, we took prompt action to determine the facts. We have been working closely with law enforcement authorities and have been coordinating our efforts with the payment card organizations. We want to assure our customers that we have implemented additional security measures to help prevent this type of crime from reoccurring.”
Customers Told To Review Statements
The company urges customers to review payment card account statements. If they believe their payment card may have been affected, they should contact their bank or card issuer.
Starwood, which has agreed to be bought by Marriott International Inc, said the payment systems at the 54 hotels were affected for varying periods between November 2014 and October 2015, according to Reuters.
Hilton Worldwide Holdings Inc. and Trump Hotel Collection have said that they were investigating possible card fraud at some of their hotels.
The affected Starwood hotels are mostly in the U.S., including a St. Regis in Bal Harbour, Fla., and Sheraton New York Times Square hotel, the Westin New York Grand Central and others. Starwood also posted a list [PDF] of the hotels and dates where the malware was found.
Featured image of the Sheraton Waikiki from Shutterstock.