Arstechnica: “Checking in with spear phishing, criminals check out with hotel credit card data”

1 Comment

Arstechnica run an article yesterday about how easy it is for criminals to penetrate hotel systems that are used to process transaction data such as credit card payments.

Arstechnica Checking in with spear phishing, criminals check out with hotel credit card data

Over the past couple of years there have been quite a few chainwide breaches where the criminals have been able to hack into the POS (point-of-sale) systems that are used to process payments at hotel outlets.

Here’s an excerpt from the Arstechnica article (access the entire piece here):

These types of attacks, Corrons told Ars, are the work of gangs that have specialized in stealing credit card data from point of sale systems. “Hotels are a gold mine” for credit card theft, he said. And while they have lots of other data, including customer personal information, that might be valuable, the network breaches pulled off by the attackers who hit chains such as Hilton, Mandarin Oriental, Trump Hotels, White Lodging, Starwood, Hyatt, and Hard Rock Las Vegas focused entirely on credit card transaction data—the data most easily monetized.

While the chains affected in these attacks have not publicly detailed how the breaches took place, Corrons said that attacks seen by Panda’s Adaptive Defense 360 service were predominantly via e-mails targeted at hotel employees. “It’s probably the easiest way to get in,” he explained. “You only need to get your hands in one computer, and once you’ve compromised that computer it’s not that difficult to move laterally within the network.”


Hotels are indeed a gold mine for credit card theft considering that practically all the payments are settled using Visa, MasterCard or Amex cards.

I just covered couple of days ago an instance where Sofitel hotel had requested the CVV number of the credit card used to prepay the room (read more here) and previously one hotel requested passport copies along with the both sides of the credit card (read more here).

Hotels really should purge the credit card data rather than keeping them on the PMS systems forever. This wouldn’t help with the malware that has infected the systems and collects the credit card data real-time.