Another Day, Another Hotel Data Breach: Your DIY Defense Guide


By Robert McGarvey

If you haven’t been a victim in a hotel data breach, count yourself lucky. Latest to join the parade s Intercontinental Hotels Group which has confirmed a breach involving some 12 hotels.

The hotels are here.

What’s maddening is that the rash of hotel data breaches in recent months all have the same characteristics.  The attack is on, not the front desk and its computer systems, but point of sale terminals in shops and, especially, bars and restaurants.

Said IHG in its statement: “Findings show that malware was installed on servers that processed payment cards used at restaurants and bars of 12 IHG managed properties.  Cards used at the front desk of these properties were not affected.  The malware searched for track data (cardholder name, card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected server.”

Really, it’s time for travelers to protect themselves. Quite plainly we cannot depend upon hotel operators.

Trump Hotels were hit with a couple of breaches.  So was Hilton.  

Starwood, Marriott, Mandarin Oriental and Hard Rock all belong on the victims list.  

Trade publication Hotel News Now charts the many instances of hotel data breaches here.  Its count showed seven in 2015 alone.

Tech company Rippleshot offers a more recent count.

Yet another round up comes from Business Insider.

If you have stayed in any US hotel in the past couple years and especially if you have used credit cards in the restaurants, minutely check your credit card bills.  Very probably you will see charges that aren’t yours because crooks steal credit card numbers in order to put them to use.

Here’s the deal: it has become unwise to use a credit card at a hotel bar, restaurant or shop.  Pay in cash and – loudly – insist that they begin accepting Apple and Android Pay now. Immediately.  That’s because mobile payments, architecturally, are safer than mag stripe transactions and the card number, expiration date, etc – the data sought by thieves – is opaque. What movies through the system are tokens, essentially stand-ins, for the valuable card data.

That’s worthless to a crook.

Hotels also could up guest protection by turning on EMV – chip cards – because, by now, just about all the cards in your wallet are chip and that is a big step up from mag stripe cards.

But I don’t recall ever seeing chip terminals in a hotel shop or restaurant. No surprise. Hotel News Now has reported on the “lag” in adoption of chip ready terminals at hotels.  

What baffles me is why – when there have been so many hotel data breaches – the management companies have not made a full court press to up security at the vulnerable terminals.  There really is no good explanation. Note to hoteliers reading this: Use the comments field to explain why the industry has done such a wretched job handling these threats. Anonymity is possible.

The only explanation that makes sense to me is that hotel operators just have not wanted to invest in security upgrades.  The breaches won’t stop until they do, however, which means no end is in sight.

Which also means it’s up to us to yell loudly about these breaches and also to stop using cards at vulnerable facilities – and tell the staff what you are doing and why.

If you find you must use plastic at a hotel restaurant or shop, just don’t think about using a debit card. Your protections are much weaker than with credit cards – and the amounts debited will come right out of your checking account. It can take days – sometimes weeks – to get those charges reversed.  Leave debit cards in your pocket whenever you in a hotel.  

Bottmline: assume your safety and security are yours to protect whenever you are at a hotel. That includes physical security – and in-room safety cannot be assumed. It definitely means being guarded about the uses to which you put hotel WiFi. But, sadly, it now also means staying wary about using plastic at hotels.  

I just don’t see any deep commitment on the part of the industry to ending theft of credit card data from point of sale systems – and that may mean that whenever you use a credit card at a hotel you may be passing along your data to a crook too.


1 thought on “Another Day, Another Hotel Data Breach: Your DIY Defense Guide”

  1. I have been using the mobile check in when I stay in USA hotels, and not allowing them to swipe my card. A couple of properties have tried to get physical possession of the card to “swipe” but I have steadfastly refused, even under threat of not being allowed to stay in the hotel. The excuses given to need to swipe the card were weak. I was eventually allowed to check in but went immediately to another hotel to arrange to move there the next night and reported the offending hotel to their head office for not conforming to their own chain’s policy. I know they are slow to adopt chip and pin, but I also know there is no excuse for it At all. I pay cash in restaurants that don’t accept apple pay or chip and pin. Nice article but the hotel industry has to smarten up. A lot.

Leave a Reply

Your email address will not be published. Required fields are marked *