Last February, financial industry insiders first reported evidence that hackers might have breached security and stolen customer payment card information from various hotels run by the White Lodging Services Corporation (which operates franchises under various brand names including Marriott, Sheraton, Renaissance and Courtyard).
Specifically, the hackers managed to plant malware on the point-of-sale systems used in the bars and restaurants attached to certain White Lodging-owned hotels, and stole the payment card information of anybody who ate in a hotel restaurant or drank in a hotel bar.
Security expert Brian Krebs first reported the suspected White Lodging breach in February. However, not until late last week did White Lodging confirm the breach and specify exactly which customers are at risk.
In a press release dated April 8, White Lodging admitted that from July 3, 2014 through February 6 of this year, hackers had compromised the point of sale systems for the food and beverage outlets connected to hotels in 10 different locations:
- Indianapolis Marriott Downtown, Indianapolis, IN
- Chicago Marriott Midway Airport, Chicago, IL
- Auburn Hills Marriott Pontiac at Centerpoint, Pontiac, MI
- Austin Marriott South Airport, Austin, TX
- Boulder Marriott, Boulder, CO
- Denver Marriott South at Park Meadows, Denver, CO
- Louisville Marriott Downtown, Louisville, KY
- Renaissance Boulder Flatiron, Broomfield, CO
- Courtyard Austin Downtown, Austin, TX
- Sheraton Hotel Erie Bayfront, Erie, PA
However, guests who stayed at those hotels without using their cards to pay for food or beverage services are not at risk.
The stolen data is believed to include customers' names, credit or debit card numbers, security codes and card expiration dates.
As usual in such circumstances, the company is offering a year of free credit protection services, this time through Experian:
For more information about how to enroll for this service please send an email to WhiteLodging@protectmyid.com. You will then receive enrollment instructions. Alternatively, you can enroll by calling 1-866-926-9803. If you call this number you will be presented with a recorded message and various options. Press 1 to access the enrollment information. If you are a non-U.S. resident the available services will vary. If you decide to enroll in the service, you will be required to provide your Social Security number for identification purposes.
Watch for scams
White Lodging's press release also warned customers to watch out for scam artists who might send them scammy emails or text messages falsely claiming to be from White Lodging. This also happens anytime there's a widely publicized hacking: as soon as the media reports that Company X has been hacked, scam artists immediately start using Company X's name in their bait-emails.
If you receive any email or other communication allegedly from White Lodging and warning you that you personally were compromised in the attack, that message is guaranteed to be a fake. White Lodging is not informing individuals, because they can't. The company's online FAQ page about the hacking includes this question-and-answer combo:
Q: Why wasn’t I notified directly about this incident?
A: Because this incident affected the point of sale systems at select food and beverage outlets we do not have not have contact information associated with the affected credit/debit cards. Therefore, we could not notify you directly by email, postal mail or telephone.