U.S hotel malware may have compromised guests’ credit card data

A four-star hotel in the U.S. has discovered a data breach that may have compromised an undisclosed number of guests’ credit card information.

The Galt House Hotel, located in the state of Kentucky, discovered malicious software stealing information from a “payment card processing system” where credit card information is stored for payment purposes.

An internal investigation discovered the malware, and it’s believed that guests who used their credit cards to pay for visits between 21^st December 2016 and 11^th April 2017 may be affected.

Sensitive financial information taken

The hotel has not disclosed how many guests stayed with them or used their credit cards in the hotel during the three-and-a-half month period where the breach is thought to have happened. According to reports, the malicious software was programmed to infiltrate the payment card processing system and copy all the credit information it could find.

It’s suspected that the following information was stolen by the malware:

With this much information, credit card holders are potentially at a huge risk of unauthorised banking activity, financial fraud, and even being contacted by data criminals who impersonate service providers to obtain even more information or defraud victims of money.

Issue now resolved

The hotel has apparently “resolved the issue” and is taking steps to patch up and increase security measures.

Still, a data breach like this one cannot always be simply “resolved”. An organisation can identify the malware, remove it, and put in new and improved security, but the damage is done and it may be much harder to repair. The impact of a data breach can mean no tangible end – those whose data has been stolen could at any point fall victim to some sort of scam.

We may never know who has accessed the stolen information…

For this data breach, the credit card owners may never know just how many people have had access to their information; if they still have it; what they have done with it; and what they may do with it in the future.

As long as that information remains valid, the data owners may be at risk of unauthorised financial activity.

Even when the information is no longer valid – e.g. the credit card owner closes down their bank account – cybercriminals may contact the individual, pretending to be, perhaps, an internet provider. They may say that payments aren’t coming through and convince the individual to go through their new credit details to ensure they still get access to some form of service. The fraudsters can be quite convincing and may try several ways of trying to steal victims’ money.

Not the first breach of its kind

The Galt House Hotel’s data breach is reminiscent of InterContinental Hotels Group’s (IHG) own data breach earlier this year. Even though the IHG is a multinational corporation, the source of their data breach was also though malware on payment card systems.

Back in April 2016, the Trump Hotel Collection reportedly suffered a data breach twice in one year. Reports revealed that the point-of-sale systems were infected with malware.

Point-of-sale system vulnerabilities

This pattern is not a coincidence. Hotels, restaurants and retailers who use point-of-sale systems or other payment card systems need to recognise the vulnerabilities.

In a society where bank transactions are so easy and convenient, the machines and systems processing these payments cannot be simply installed and expected to provide adequate security as they are. Today, there are many ways the scammers can use to penetrate systems of all kinds. Cybersecurity needs to always be a priority.

Tewksbury Hospital admits data breach by former employee

Data breaches are happening more and more frequently: and we can’t keep up…