Another casualty in the
secure data arms race

Uh oh. It seems HEI Hotels has joined the ranks of The Home Depot, Target, and other substantial “hackees.” On August 12, HEI published a Notice of Data Breach.”

Affected HEI properties

HEI Hotel properties affected by the breach
(click to enlarge)

You may not have heard of HEI, but you have certainly heard of the 20 potentially targeted properties, or at least their brands, that HEI operates. These include Marriott, Hyatt, Equinox, Intercontinental, Sheraton, Westin, and others.

From the HEI Notice:

Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems.

HEI believes the malware could have affected “… payment card data—including name, payment card account number, card expiration date, and verification code—of customers who used a payment card at point-of-sale terminals at the affected properties.”

According to a report released two days ago, the malware had its way with HEI for a whopping 15 months, from March 1, 2015 through June 21, 2016. That’s plenty of time for tens of thousands of transactions.

HEI operates high-end properties, so it may not be unreasonable to assume that the average wealth of those targeted, and their respective card limits, may be higher than, say, the average THD or Target shopper. Moreover, both business and consumer credit cards may have been hacked.

Digital security is an arms race. Each time the good guys come up with a new way to foil hackers, the hackers simply busy themselves defeating it. I don’t expect the arms race to end anytime soon, if ever. Not even chip cards will do away with fraud, although chip use in Canada and other countries has reduced it.

But we needn’t sit helpless. There is much that banks, merchants, and consumers can do to protect themselves. In next week’s post, I’ll go into that in more depth.

Comments are closed.