Krebs On Security (access here) reported on Wednesday that at least some Mandarin Oriental’s US point-of-sale systems were infected with malware that had captured the credit card info of some if not all customers.
They had come to this conclusion after fraudulent charges had started to hit customers credit cards that had patronized these hotels. Krebs On Security believes that the info is likely from compromised payment terminals from outlets inside the hotel and not from the front desk system (likely Opera used).
You can access the Krebs on Security article here and below is an excerpt:
In response to questions from KrebsOnSecurity, upscale hotel chain Mandarin Oriental Hotel Group today confirmed that its hotels have been affected by a credit card breach.
Reached for comment about reports from financial industry sources about a pattern of fraudulent charges on customer cards that had all recently been used at Mandarin hotels, the company confirmed it is investigating a breach.
“We can confirm that Mandarin Oriental has been alerted to a potential credit card breach and is currently conducting a thorough investigation to identify and resolve the issue,” the company said in an emailed statement.
The statement continues, indicating that some of the chain’s point-of-sale systems were infected with malware capable of stealing customer card data:
“Mandarin Oriental can confirm that the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law. The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio.Unfortunately incidents of this nature are increasingly becoming an industry-wide concern. The Group takes the protection of customer information very seriously and is coordinating with credit card agencies and the necessary forensic specialists to ensure our guests are protected.”
These credit cards that were stolen from the Mandarin Orientals should fetch a higher price on the credit card black market due to demographics of the Mandarin Oriental clientele and credit limits that come with it.
Given the abysmal state of many hotel chain’s IT systems, I think that it is inevitable that at some point in future one of the entire booking systems used by the hotel chains is compromised and tens of millions credit card numbers potentially breached.