Sources at numerous U.S. banks indicate that they’ve found a pattern of payment card fraud that strongly suggests a data breach at Hilton Hotel properties.
Hilton acknowledged it has begun an internal investigation of the reported breach, which apparently affects the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and the luxury Waldorf Astoria Hotels & Resorts. It’s not yet known how many hotels were affected.
The breach was first reported by independent security researcher Brian Krebs, whose sources indicate that the breach may go back to November 2014 and may be ongoing. Krebs adds that like other recent breaches at hotel properties – such as Mandarin Oriental and White Lodging – the breach does not appear to be related to the guest reservation systems:
Rather, sources say the fraud seems to stem from compromised point-of-sale devices inside of franchised restaurants, coffee bars and gift shops within Hilton properties.
In an interview with travel industry outlet Skift, Krebs has some suggestions for the hotels that would enhance guests’ security:
“They can take more responsibility for ensuring the card safety and integrity of the systems that run in franchised operations within their hotels,” Krebs says. “Many hotels outsource this out to third parties or completely franchise these operations. I think it’s clear that this hands-off approach is not sufficient.”