Hilton Hotels has confirmed a malware breach that siphoned customer payment data at the checkout, becoming the latest hotel chain to be hacked in a spate of online assaults hitting the hospitality sector.
Hilton says the malware on its systems lifted cardholder details, payment card number, security codes and expiration dates over a seventeen-week period in two separate attacks, from 18 November to 5 December 2014 and again from 21 April to 27 July 2015.
The company says no addresses or PINs were compromised but it is warning customers who stayed at any of the company's 4500 worldwide locations to review and monitor their payment card statements.
In a statement that is likely to infuriate banking institutions on the receiving end of third party breaches, Hilton says: "Customers generally are not responsible for fraudulent activity on their payment cards, and should contact their financial institution directly if they notice any irregularities."
The breach at Hilton follows similar intrusions at other hotel chains, including the Starwood group which earlier this week confirmed that hackers had stolen customer card details during an eight-month break-in at 54 locations. Trump Hotels and Mandarin Oriental have also previously suffered at the hands of hackers.
Mark Bower, global director of product management, enterprise data security for HPE Security, says that hospitality service providers face extraordinary challenges with customer data security at point of sale (POS).
"Online booking systems often channel card data from various sources and third parties over the internet, creating additional possible points of compromise," he points out. "Partner booking systems accessing the hotel platforms also present additional risks and malware paths for entry to data processing systems to steal sensitive information."