Destination Hotels Card-processing System Hacked

Hackers have broken into the payment processing system of Destination Hotels & Resorts, a high-end chain best known for its resort hotels in destinations such as Vail, Colorado; Lake Tahoe, California; and Maui, Hawaii.

Guests who recently stayed at 21 of the resort's 30 hotels may have been victimized by the scheme, which appears to have compromised point-of-sale systems. The company refused to release many details of the incident -- citing an ongoing investigation by the U.S. Federal Bureau of Investigation -- but in a note posted to its Web site said that it had "uncovered a malicious software program inserted into its credit card processing system from a remote source."

Destination Hotels is in the process of notifying victims but will not say how many people have had their credit card numbers stolen, a company spokeswoman said.

However, the attackers appear to have hit only point-of-sale processing systems, where credit cards are swiped for purchases. Personal information such as guests' home addresses was not compromised, the company said.

The Driskill Hotel in Austin, Texas, was one of the properties that was hacked. There, local police are trying to identify how many local victims were affected, and they have identified as many as 700 nationwide, said the Austin American Statesman, which first reported the breach last week.

Point-of-sale systems have been under attack from hackers over the past few years. In 2008, hackers stole tens of thousands of credit card numbers from guests who stayed at the Wyndham hotel chain. Wyndham was then hacked again in late 2009.

Often the criminals use the same tactics over and over again. They probe networks for point-of-sale systems that connect to the Internet and then either exploit known bugs in the system software or guess the passwords used to remotely administer the machines.

Once they discover how to break into one hotel, they often repeat the attack, stealing credit card numbers from as many locations as possible.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
Shop Tech Products at Amazon