US Hotels Hacked & Credit Card Details Compromised – This Is Getting Pathetic

a silhouette of a person in a hoodie may receive commission from card issuers. Some or all of the card offers that appear on are from advertisers and may impact how and where card products appear on the site. does not include all card companies or all available card offers.

Some links to products and travel providers on this website will earn Traveling For Miles a commission which helps contribute to the running of the site – I’m very grateful to anyone who uses these links but their use is entirely optional. The compensation does not impact how and where products appear on this site and does not impact reviews that are published.

HEI Hotels & Resorts has confirmed that 20 properties that it manages, including some under the Hyatt, IHG, Marriott and Starwood brands, have seen some of their credit card processing systems compromised and infected with malware. The malware was designed to record payment information as it passed through the system and, presumably, pass it on to the originators of the hack.

A statement from HEI Hotels & Resorts reads:

Unfortunately, like many other organizations, we recently became aware that several of our properties may have been the victim of a security incident that could have affected the payment card information of certain individuals who used payment cards at point-of-sale terminals, such as food and beverage outlets, at some of our properties. We take very seriously our responsibility to keep our customers’ information secure, and have mounted a thorough response to investigate and resolve this incident, bolster our data security, and support our customers. We are pleased to report that the incident has now been contained and individuals can safely use payment cards at all of our properties. We are sorry for any concern or frustration that this incident may cause.

The list of affected properties together with the dates during which the properties were affected is as follows:


As well as the list of properties affected HEI is supplying:

  • A detailed Notice Letter explaining what the hotel group believes has happened and what is being done about it.
  • A set of FAQs for those who believe they may have been affected by the malware.
  • A tool free number for customers to call if/when they have questions about this incident (888-849-1113). The phone line is manned between 9am and 9pm ET Monday through Friday.

san-diego-marriott-la-jollaSan Diego Marriott at La Jolla – via Marriott

HEI certainly isn’t the first hotelier to come under attack from hackers.

  • In December 2015 Hyatt admitted that it had found malware on the payment processing systems at some of its hotels but the hotelier never admitted how many hotels had been affected (rumors abound that it was over 300) and it also never got around to explaining why it took over a month, from the date of discovery, to inform the world of the issue.
  • In November 2015 Hilton announced that it had found malware on “some  point-to-point systems” which had accessed all but the addresses and PIN numbers of customers.
  • Just days before Hilton admitted that it had recognised an issue Starwood had announced a problem of its own – 54 Starwood properties across the Americas were found to have had malware on their point of sale systems.
  • In July 2015 Mandarin Oriental announced that some of its properties had been found to be infected with malware but it took the hotel chain up until August to confirm the full extent of teh issue (10 properties across the world).

Hotels Need To Do More

If someone wants to hack into a hotel’s systems badly enough they’re going to be able to do it – that’s just a fact of life and I get that. What shouldn’t be a fact of life is how long it takes the hotels to notice and/or inform the public.

If you take a look at the dates that HEI is saying that its hotels were infected with the malware you’ll see that some date back to March 2015 – that’s 18 months ago!

All of the following hotels have been identified as having the malware installed as early as March 2015:

  • Boca Raton Marriott
  • Le Meriden San Francisco
  • Sheraton Music City Hotel
  • Sheraton Pentagon City
  • The Hotel Minneapolis Autograph Collection
  • The Westin Pasadena
  • The Westin Philadelphia

hotel-minneapolis-autograph-collectionHotel Minneapolis Autograph Collection – via Marriott

And most of the other hotels on the list were infected no later than December 2015.

That’s almost 8 months ago, so why are the hotels only finding out about this (or at least telling us about this) now?!

It’s not just HEI either.

  • Mandarin Oriental first mentioned that it may have had a data breach in July 2015 but, when the full extent of the data breach was revealed, it turned out that the malware had first appeared on its systems over a year before that – June 2014.
  • Starwood’s breach was announced in November 2015 but the infections had occurred as far back as November of the previous year.
  • Hilton’s data breach was also revealed in November 2015 and, just like with Starwood, malware on its systems was found to have been in place a year before.

Don’t Leave Your Credit Card Security In The Hands Of Others

The moral of this story is that you cannot rely on hotels so safeguard your information – they’ve been proven to be incapable of that often enough for this to be pretty clear – you have to check your credit card statements every month.

This doesn’t just go for months when you’ve had hotels stays….this is every month. Hotels are by no means the only weak point and the truth is that you’re at risk every time you use your card.

Set alerts on your credit card accounts to warn you when a transaction over a certain value is made on your card (I have mine set at $20). You know when you’ve used your credit card so you should also notice when you get an email alert but you haven’t actually purchased anything.


Bottom Line

This is unacceptable and, frankly, pathetic.

It’s not news that hackers are continually trying to find ways of installing malware on point of sale systems all over the world so why aren’t hotels doing enough to catch the malware sooner?

How bad are the hotel’s anti-malware products and how infrequently are they updated that they allow malware to be undetected for over a year?

Here’s another question: Starwood and Hyatt hotels already knew there had been breaches in 2015 so why are we seeing hotels from those chains appearing on this HEI list now? Why wasn’t this malware found back then…or is this just duplicate information that HEI is providing?

Sure, there also has to be a degree of vigilance on the part of the consumer to make sure that whatever charges are hitting their credit card are actually legitimate…..but it’s not up to the consumer to detect when or why their details were compromised. That’s the responsibility of the vendor and, in this case, the vendors are looking increasingly incompetent.

Featured image vis Wiki Commons Media