back to article Hilton confirms hotel credit-card-snaffling sales till malware hit

Hilton Worldwide has confirmed that malware found its way onto point-of-sale systems that targeted payment card information. Targeted data included cardholder names, payment card numbers, security codes and expiry dates. Addresses and PINs were not exposed, Hilton concluded, after an investigation that brought in third-party …

  1. Tony S

    The statement written by PR

    The statement says "has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems "

    So there is malware that is authorized? Enquiring minds wish to know.

    1. Anonymous Coward
      Anonymous Coward

      Re: The statement written by PR

      "So there is malware that is authorized? Enquiring minds wish to know."

      Flash? Java?

    2. Ben Bonsall

      Re: The statement written by PR

      Windows CE :)

    3. Anonymous Coward
      Anonymous Coward

      Re: The statement written by PR

      The statement says "has identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems "

      ...some point-of-sale systems, they didn't bother eradicating it in the others?

  2. sysconfig

    How many customers?

    "The hotel chain is also keeping quiet about the number of people or credit card records exposed at a result of the breach."

    The standard answer to this is obviously: "a very small number of customers"

  3. tmTM
    Joke

    Hackers gained access through a backdoor in our illegal wifi blocking kit.

  4. ElectricFox
    FAIL

    PoS terminal?

    Piece of Shit terminal?

  5. adam payne

    Prepay all day long

    1. phil dude
      FAIL

      unfortunately...

      I use a pre-pay app (still had my card cloned... :-( ) , but they ask for a card at the desk to cover incidentals. I don't think it ever gets charged, but the POS machines, might be collecting card info just for swiping...

      Anyone else think we are only getting half the story?

      P.

      1. fruitoftheloon
        Thumb Up

        @phil dude: Re: unfortunately...

        Phil,

        When regularly travelling in the UK on company booked (and paid for with a £25/night allowance) occasions a few years ago, I always refused to give them a card 'just in case you want to charge something Sir...'

        Regards,

        Jay

      2. Anonymous Coward
        Anonymous Coward

        Re: unfortunately...

        I was flown to the US with everything pre-paid, and the hotel (though I don't recall which chain) refused to give me my key until I handed over a credit card - which they then used to try and bill me for what appeared to be a complimentary bottle of mineral water left in the room - which no-one had touched, even after assuring me when I checked out that there were no charges made. I figured this was typical business practice in such places.

      3. Roland6 Silver badge

        Re: unfortunately...

        Anyone else think we are only getting half the story?

        I wonder if there is any connection: http://www.theregister.co.uk/2015/11/24/modpos_point_of_sale_malware/

        Both concern POS equipment in the US, although iSight do use the word 'retailers'...

    2. chivo243 Silver badge

      good advice, but sometimes, you have wait(various reasons) and at the end you usually can't pay cash anyway, they want your plastic number for what again? I can't count the number of times "they just wanted my CC number" we don't charge you or anything...

      1. Jason Hindle

        Re: chivo243 - You could use a pre-paid charge card

        That would put a limit on what the fraudsters could fleece you for, but also means you lose out on cashback/points/miles or whatever perks your credit card gives you.

  6. Alister
    Facepalm

    Exposed data includes cardholder names, payment card numbers, security codes and expiry dates.

    Great, all the information you need to make an online payment then.

    Addresses and PINs were not exposed, Hilton concluded

    Oh well, can't have everything

  7. Anonymous Coward
    Anonymous Coward

    Soo...

    Are they blaming China yet?

  8. thomas k

    Typical

    Still no guidance to employees on how to handle guest inquiries if we're asked about this but I suppose that would require Hilton telling us that the breach had occurred.

  9. Anonymous Coward
    Anonymous Coward

    Attack Vector

    I had the thankless chore of reading through the PCI DSS requirements the other day, not a task I want again. If malware gets onto what is supposed to be a very isolated and restrcited system, what can it get at? Without looking into it I had always assumed that card terminals would encrypt your CHD on the terminal itself before sending that data to bank/processor/jargonofchoice. I'm guessing if malware on the POS can get at it thats not true, or is it in ther terminal too. That or the stolen CHDs have been extracted from the booking system instead?

  10. Simon Harris
    Paris Hilton

    Couldn't resist the obvious comment...

    about being careful what you stick into Hilton's slot.

  11. Nate Amsden Silver badge

    been a while

    I think it's been close to 2 years since one of my CCs was last compromised. I use them at many places including hotels(usually best western or holiday inn), airlines, online(using BofA "shopsafe" virtual CCs). For a year or two it was getting nailed 2-3 times a year seemed like (with most of those being "shopsafe" compromises which doesn't matter to me because nobody else can use those numbers, but the BofA fraud system last I dealt with it anyway couldn't distinguish between a shopsafe compromise and a main card compromise, had to talk to a rep who would manually clear the fraud alert after verifying it was shopsafe).

    Maybe just been lucky I don't know.. outside of a brief trip to europe Target is the only place I've been to that accepts the "chip" on my cards(that have no PIN), other places tell me their chip readers(the few that have them) don't work(yet). I like swipe still myself, much faster.

  12. Anonymous Coward
    Anonymous Coward

    Plausible deniability?

    But Dear, despite what my card statement says, I did not visit Madam Lash when on that business trip!

  13. Anonymous Coward
    Anonymous Coward

    Yeah - they like Steam

    My daughter's debit card got hit the other night for almost $300 of bogus Steam charges. And yes, she used it at a Hilton during the period when they got hacked. Guess once the cat's out of the bag they sell off the numbers as fast as they can.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022