Two Minneapolis hotels are among the 20 properties nationwide whose point-of-sale terminals were part of a security breach that lasted for more than a year.
HEI Hotels & Resorts disclosed late last week that hackers installed malicious software on its payment processing systems in areas such as its food and beverage outlets. The security incident affected the Hotel Minneapolis Autograph Collection, between March 1, 2015, and April 27 of this year and the Westin Minneapolis from Sept. 2, 2015, to June 17 of this year.
The hotel company said unauthorized individuals may have gleaned customers' names, payment card numbers, expiration dates and verification codes. Debit card PIN numbers were not exposed.
"As a precaution, we are providing this notice, on behalf of our hotel property owners, to make potentially affected customers aware of the incident and call their attention to steps they can take to help protect themselves," the company said on its website. "We take the security of personal information very seriously, and sincerely apologize for any inconvenience or concern this incident may cause."
HEI Hotels, which is based in Connecticut and operates just under 60 hotels and resorts under a variety of brands, added that the security incident has been contained and assured customers they can now safely use payment cards at all of its properties. It said it will continue to review and enhance its security measures.
Aside from the two Minneapolis hotels, other affected hotels included certain Marriott, Hyatt, Sheraton, Westin, Equinox and Le Meridian hotels in nine other states, as well as Washington, D.C.
Retailers and other companies that deal with large numbers of credit cards have become popular targets for hackers looking to make a quick buck by collecting and selling the information on the internet in bulk. A couple of years ago, massive breaches involving the thefts of millions of card numbers at retailers such as Target, Home Depot and Neiman Marcus grabbed headlines. And in Target's case, its breach ultimately contributed to the departure of its CEO.
Among the hotel chains, Hilton Worldwide, Trump Hotel Collection and Starwood Hotels & Resorts have all confirmed point-of-sale system breaches within the past year or so. More recently, fast food chains Wendy's and Cici's Pizza acknowledged breaches of their systems.
Yet the black market value of credit card numbers has tumbled, largely as a result of better fraud prevention technology that allows banks to spot and stop bad transactions faster. As a result, many thieves have moved on to target more lucrative information such as health care data.
HEI said in its notice to consumers that once it found out about the breach of its systems it transitioned payment card processing to a stand-alone system that's completely separate from the rest of its network. It disabled the malware and is in the process of reconfiguring various components of its network and payment systems to make them more secure.
The company said in its statement that it is continuing to cooperate with the law enforcement investigation and coordinating with banks and payment card companies. HEI officials didn't immediately return a call seeking additional comment.
HEI advised anyone who used a card at the hotels in question during the given time frame to review their account statements and look for discrepancies or unusual activity, both over the past several months and going forward.
For more information, customers can contact HEI Hotels at 1-888-849-1113.
Includes reporting by the Associated Press.
Kavita Kumar • 612-673-4113
