Independent security research Brian Krebs suggests that thousands of guests at US hotels may have had their credit and debit data stolen.
The cache of data seems to have gone astray from computers belonging to White Lodging Services said Brian Krebs.
The service company runs 168 franchised hotels in the US for the Hilton, Marriott, Sheraton and Westin chains.
White Lodging said it was currently conducting an investigation into how the data had been taken.
Brian Krebs suggests that thousands of guests at US hotels may have had their credit and debit data stolen
Brian Krebs said White Lodging’s role in the breach emerged as banking industry fraud investigators were looking into a sustained pattern of purchases made on faked cards in Marriott hotels. Oddly, said Brian Krebs in a blogpost, the fraudulent purchases were made only at Marriott hotels in six separate cities rather than across the entire chain.
Further investigation revealed that the common factor in all those hotels was they were run by Indiana-based White Lodging.
The fraudulent purchases were made at the gift shops, restaurants and other shops at the hotels and were not used to pay for rooms, said Brian Krebs.
In a statement issued to Brian Krebs, White Lodging said: “We will provide meaningful information as soon as it becomes available.”
In a separate statement, Marriott said it was “working closely” with its franchisee on the investigation.
The latest breach comes in the wake of other much larger attacks on US retailers that saw payment card details for millions of customers stolen.
According to specialists familiar with Target security breach, the hackers who compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PIN).
One major US bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said an executive, who spoke on the condition of anonymity because the data breach is still under investigation.
Target spokeswoman Molly Snyder said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” was stolen, but declined to say if that included encrypted PINs.
The retailer said last week that hackers stole data from as many as 40 million cards used at Target stores during the first three weeks of the holiday shopping season, making it the second-largest data breach in US retail history.
Target has not said how its systems were compromised, though it described the operation as “sophisticated.” The US Secret Service and the Justice Department are investigating. Officials with both agencies have declined comment on the investigations.
The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.
The hackers who compromised up to 40 million credit cards and debit cards also managed to steal encrypted PIN’s
While bank customers are typically not liable for losses because of fraudulent activity on their credit and debit cards, JPMorgan Chase & Co and Santander Bank said they have lowered limits on how much cash customers can take out of teller machines and spend at stores.
The unprecedented move has led to complaints from consumer advocates about the inconvenience it caused from the late November Thanksgiving holiday into the run-up to Christmas. But sorting out account activity after a fraudulent withdrawal could take a lot more time and be worse for customers.
JPMorgan has said it was able to reduce inconvenience by giving customers new debit cards printed quickly at many of its branches, and by keeping branches open for extended hours. A Santander spokeswoman was not available for comment on Tuesday.
Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.
While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is the coding cannot stop the kind of sophisticated cyber criminal who was able to infiltrate Target for three weeks.
The attack on Target began on November 27, the day before the Thanksgiving holiday and continued until December 15. Banks that issue debit and credit cards learned about the breach on December 18, and Target publicly disclosed the loss of personal account data on December 19.
On December 21, JPMorgan Chase alerted 2 million of its debit cardholders that it was lowering the daily limits on ATM withdrawals to $100 and capping store purchases with their cards at $500.
Target is being sued by at least 11 customers over a credit card security breach that saw details of more than 40 million cards stolen.
The lawsuits, each seeking class-action status, were filed in US courts in recent days.
Meanwhile, major US banks have moved to limit damages by restricting spending on debit cards.
Security researchers said the stolen card numbers had been seen on underground markets.
Senator Chuck Schumer has called for the Consumer Financial Protection Bureau to investigate the breach.
The thieves managed to grab key details for so many cards by getting malware on to the computer systems at the checkout desks in almost 1,800 Target stores in the US.
It is still not clear how the hackers managed to get their malware on to the systems.
Target is being sued by at least 11 customers over a credit card security breach
The fraudsters had access to card data read at the tills for almost three weeks, said Target in a statement released after the attack.
Complaints against Target, seeking unspecified damages, have now been filed in Massachusetts by Amanda Tirado; in Florida by Maria Cruz and Jade Gray; in Oregon by Lisa Purcell; in Washington by Kathi Syvlester; in California by Samantha Wredberg and Jennifer Kirk; in Illinois by Janice McCarter and Veronica Ponce; and in Minnesota, the state where Target is based, by Sarah Horton and in a joint case by 0 and Bryan Barth.
In the complaints, customers who shopped at the retailer between November 27 and December 15 argue Target failed to notify them of the breach before it was first reported and did not “maintain reasonable security procedures” to prevent the attack.
They argue the “ramifications of [Target’s] failure to keep class members’ data secure are severe”, citing billions of dollars lost each year to identity theft.
If the cases are allowed as a class-action, it is believed the potential number of plaintiffs could be in the millions of dollars.
Meanwhile, JP Morgan Chase said it had lowered daily spending limits to $300 and daily cash withdrawal limits to $100 on potentially vulnerable cards as a “precaution”.
Reuters reported that other US banks are also believed to be putting stringent precautions in place that would help to spot if cards were being used fraudulently. In addition, Target said it would offer free credit monitoring for customers affected by fraud.
Target has confirmed it was hit by a major data breach involving 40 million of shoppers’ credit and debit card information.
Customers who visited any of Target’s stores between November 27 and December 15 are at risk of having their credit and debit card information stolen.
Target said what to do if you visited one of their stores during that timeframe:
Closely monitor your credit and debit card statements for any suspicious activity.
Target has confirmed it was hit by a major data breach involving millions of shoppers’ credit and debit card information
If you find anything suspicious, immediately contact your bank. You can also contact the Federal Trade Commission to report incidents of identity theft or call the FTC at (877) 438-4338.
Check your credit report. If you find information that appears to be fraudulent, request that the credit reporting agency delete that information from your credit report file. You can get a free copy of your credit report once a year from one of the three credit reporting agencies including Experian, Equifax and Trans Union.
Add a fraud alert to your credit report file with one of the three credit reporting agencies. That means creditors will be extra vigilant in protecting you, though it may delay your ability to obtain credit.
To reach Target directly concerning the breach and precautionary steps you should take, call (866) 852-8680. The company says as many as 40 million credit and debit card accounts may have been compromised. Information that may have been stolen includes customers’ names, card numbers and three-digit security codes.[youtube pom42RDo_wE 650]