Mandarin Oriental, the hotel group managing luxury hotels and resorts in Asia, Europe, the US and Latin America, has confirmed that “the credit card systems in an isolated number of our hotels in the US and Europe have been accessed without authorization and in violation of both civil and criminal law.”
None of its Asian proprieties have been affected.
“The forensic investigation is still underway and we are unable to confirm specific hotel details at this time,” they noted, but according to banking industry sources queried by Brian Krebs, it seems that most if not all Mandarin hotels in the US have been impacted.
The group didn’t discover the breach themselves, but were alerted by third parties – likely financial institutions who noticed a pattern of fraudulent charges on some of its customer cards that pointed towards Mandarin hotels.
According to the same sources, the compromise likely dates back to a short period before Christmas 2014.
“The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio,” the hotel group said in the statement.
“While the Group has leading data security systems in place, this malware is undetectable by all anti-viral systems. The Group has put additional security measures in place at all hotels and is working to ensure everything possible is being done to protect our guests’ personal information,” they said, and added that they have executed additional security protocols, but won’t publicly disclose details about the additional security measures.
So far, the investigation has discovered that breach has only affected credit card data. Credit card security codes and guests’ personal data have not been compromised.
“As a security practitioner, I find the rash of continued data breaches frustrating,” commented Trey Ford, Global Security Strategist, Rapid7. “The payment card industry has built a data security standard (the PCI-DSS) in an effort to improve the security programs of all companies that handle credit cards. After a breach, the payment brands have a forensic investigation performed to understand how the criminals succeeded, and improve the odds of pursing the perpetrators. While the payment brands get the detailed report, the rest of the industry does not. Maybe we will see Mandarin step up and explain how exactly they were compromised, and how other organizations can prevent attackers from using the same technique.”
“For customers that have stayed at one of their facilities, I would consider contacting your credit card company to request a new card. As the trend of corporate compromise continues, I would encourage all consumers to keep a watchful eye on your statements, doubly so if you use your debit card routinely.”
According to the statement, in an effort to prevent similar breaches, Mandarin Oriental has alerted their “technology peers in the hospitality industry” about the compromise they suffered.