Hackers steal guests' credit card information at 20 US hotels

The operator of Hyatt, Sheraton, Marriott, and Westin hotels says that it has been targeted by hackers, who for months collected customers credit card information.

Matt Rourke/AP/File
The Westin Philadelphia hotel in Philadelphia in 2010. Hyatt, Sheraton, Marriott and Westin hotels in 10 states and the District of Columbia may have been targeted by hackers for months. Hotel operator HEI Hotels & Resorts said Monday that malware put into place in at least 20 locations may have collected names, card account numbers, card expiration dates and verification codes.

Credit card data from customers at at least 20 Hyatt, Sheraton, Marriott, and Westin hotels may have been compromised by hackers.

Hotels in more than 10 states including California, Florida, Minnesota, and Virginia may have been targeted by hackers who put malware into place to collect names, card account numbers, card expiration dates, and verification codes from early December through late June, said hotel operator HEI Hotels & Resorts. In some locations, information may have been collected going back as far as March 2015. 

Data was collected from cards used at restaurants, bars, spas, lobby shops and other facilities, HEI spokesman Chris Daly told Reuters. 

"We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered," said HEI in a press release, adding that it is now safe for customers to use their credit cards at all hotel locations. 

HEI said it first discovered the breach when it transitioned payment card processing to a standalone system separate from the rest of its network. An investigation is underway as the company works with law enforcement, banks, and payment card companies to determine exactly what happened. 

It's not known yet precisely how many customers may have had their data stolen, Mr. Daly told PCWorld. 

"Due to guests paying in multiple outlets during a stay or even visiting multiple times, or visiting multiple locations managed by HEI, an exact number is difficult to calculate," he said. "Furthermore, HEI does not store credit card details."

HEI recommends that any customers who used a card at the affected properties review their account statements, keeping an eye out for unusual activity, over the past several months and in the future. If you believe your information may have been compromised, contact your credit or debit card company immediately. 

What should you do if your credit card info is stolen? Angela Colley of Dealnews writes

If you notice strange activity on your credit or debit card, report the charges to your bank immediately using the toll free number on the back of the card or on your statement. The Federal Trade Commission says you aren'tresponsible for any charges made on a stolen account number after you report identity theft, so act quickly.

If you find suspicious activity on your accounts, ask one of the credit bureaus to place an initial fraud alert on your credit report. Once you notify one credit bureau, that bureau will notify the others and alerts will appear on all your credit reports. According to the Federal Trade Commission, the alert will remain on your credit report for 90 days. During that time, creditors cannot open new accounts without verifying your information, making it harder for thieves to access your credit. You can file a fraud alert online throughEquifaxExperian, or TransUnion.

Start by ordering a copy of all three credit reports. By law, you're entitled to one free credit report from each credit bureau each year viaAnnualCreditReport.com. You're also entitled to a free credit report after you file an initial fraud alert. Once you have the reports, look for any suspicious activity, like credit inquiries you didn't make or accounts you didn't open.

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.