Omni Hotels & Resorts has reported that point-of-sale systems at some of its properties were hit by malware targeting payment card information.
The attack on the systems of the luxury hotel chain follows similar breaches of point-of-sale systems at various hotels and retailers like Hyatt Hotels, Target, Starwood Hotels & Resorts Worldwide and Hilton Worldwide Holdings.
Omni in Dallas, Texas, said in a statement Friday that on May 30 this year, it discovered it was hit by malware attacks on its network, affecting specific POS systems on-site at some of its properties. “The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date,” Omni said. There isn’t evidence that other customer information, such as contact information, Social Security numbers or PINs, was compromised, it added.
The chain did not disclose how many of its 60 properties were affected and the likely number of cardholders that could have been affected. As there is no indication that reservation or select guest membership systems were affected, users were unlikely to be affected unless they physically presented their payment card at a POS system at one of the affected locations. The malware may have been in operation between Dec. 23 last year and June 14 this year, although most of the systems were affected during a shorter timeframe, according to the hotel.
The hotel chain, which offers hotels and resorts in the U.S., Canada and Mexico, could not be immediately reached for comment over the weekend for further details.
Omni said after discovering the malware attack, it had immediately hired IT investigation and security firms and has now contained the intrusion. It did not specify why it had delayed to inform customers.
Hackers have been using information stolen in the breach to make fraudulent purchases since late February, Andrei Barysevich, director of cybercrime research at Flashpoint, which worked with payment card issuers and payment processors to investigate the hack, told the Wall Street Journal. One hacker who went by the moniker JokerStash sold more than 50,000 payment card numbers related to the breach, Barysevich told WSJ.
Omni informed customers than even if they had used their cards at any of the affected properties of the hotel, they may not be affected by the issue. However, it advised users to in abundant caution review and monitor their card statements if they used it at an Omni Hotel between Dec. 23 and June 14.
Over a dozen types of malware were found last year that target point-of-sale systems, as cybercriminals redouble efforts to steal payment card information from retailers before new defenses are put in place, FireEye said in March.