Hotels warned after hackers target guest credit card details
The hotel chain has launched an investigation after malware was found in point-of-sale systems across its 4,500 hotels.
However, it declined to reveal how many of its UK properties had been targeted.
Guests who used a payment card in a Hilton hotel between 21 April and 27 July this year or from 18 November to 5 December last year are being advised to check their bank statements.
Hackers may have had access to cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers (PINs).
The announcement comes just days after Starwood Hotels & Resorts announced 54 of its North American hotels had been infected with malware designed to steal payment card data.
The chain, which was recently bought by Marriott International, said its payment systems had been affected for a varying period between November 2014 and October 2015.
In October the Trump Hotel Collection warned customers it may have been subject to a similar breach between May 2014 and June 2015, though it is not clear if the hotels were targeted in a co-ordinated attack.
Ryan Wilk, director at cyber security firm NuData Security, warned that the wider hotel industry was at risk from similar malware.
“While we can’t know for sure what hackers long-term plans are, it does seem credible that they are targeting specific industries that likely have the same exploits in order to maximise their efforts before moving on to the next industry,” said Wilk.
He added that the hotel sector needed to up its ‘collective game’ and card breaches should not be considered ‘an unavoidable cost of doing business in the digital age’.
”Once they get the card numbers, hackers then sell them on the Dark Web, use them directly in credit card cycling scams, or tie them to other data leaks to create full personas ripe for identity theft or fraudulent account creation," he said.
“If the information is out there, it’s only a matter of time before it’s tested and used.”
Hilton Worldwide said in a statement that it was ‘strongly committed’ to protecting guests privacy and regretted ‘any inconvenience this may have caused customers’.
