Omni Hotels & Resorts Hit by HackerPOS Malware Reportedly Harvested More Than 50,000 Cards
Omni Hotels & Resorts warns customers that hackers infiltrated its networks and for six months used point-of-sale malware to siphon off payment card data.
See Also: Autonomous Response: Threat Report
In a July 8 notice posted on its website, the Dallas-based luxury hotel chain said that it first learned of the data breach on May 30; it doesn't say how. Related malware infections began at some properties on Dec. 23, 2015, and lasted up to June 14, the hotel says.
Omni runs 46 properties in the United States, plus two each in Canada and Mexico. Its data breach notification does not detail how many of those properties were hacked or how many customers had their payment card details compromised by attackers.
"The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date," Omni says in its breach notification. "Upon learning of the intrusion, we promptly engaged leading IT investigation and security firms approved by the major credit card companies to determine the facts and contain the intrusion. The issue has been resolved, and we have taken steps to further strengthen our systems. We have contacted law enforcement and are cooperating with its investigation."
Omni Hotels couldn't be immediately reached for comment on which cybersecurity firms it hired or how many customers may have been affected.
But Andrei Barysevich, director of Eastern European research and analysis for Flashpoint - a company that specializes in cybercrime intelligence - tells The Wall Street Journal that related fraud was first spotted in February after a hacker called JokerStash began selling more than 50,000 payment cards stolen from Omni Hotels on underground forums.
"JokerStash is currently present on two Russian underground communities: Verified and Omerta," Barysevich tells Information Security Media Group. "Nevertheless, the sale of stolen records takes place solely via a marketplace controlled by the same syndicate."
Barysevich says Flashpoint has been helping payment card issuers and payment processors investigate the Omni breach. JokerStash regularly works with other hackers, who continue to refine their POS malware, he added. "They have a very sophisticated operation going on," he says.
Investigators: Only Payment Cards Compromised
Based on the investigation to date, Omni says the hack attack only appeared to lead to POS malware infections and apparently did not touch any other systems housing customers' personally identifiable information or payment card data. "Accordingly, if you did not physically present your payment card at a point-of-sale system at one of the affected Omni locations, we do not believe your payment card was affected," the notification reads. "Additionally, there is no evidence that other customer information, such as contact information, Social Security numbers or PINs, were affected by this issue."
The company's breach announcement arrives less than two weeks after Omni Hotels announced that it had hired Ken Barnes, an IT executive with extensive experience in the hospitality industry, to serve as its CIO.
Omni didn't immediately respond to a request for comment about whether it previously employed a CIO, and if so, if the departure of that individual was tied to the data breach.
Identity Theft Cleanup Service Offered
Omni Hotels says that potentially affected customers can receive prepaid identity theft cleanup assistance until July 8, 2017, from AllClear ID. That service says it helps identity theft victims clean up any mess that results from their personal details and payment card data having been stolen and used to commit fraud.
As with most data breaches, however, it's largely up to consumers to spot any related fraud and attempt to recover fraudulent charges. While U.S. consumer protection law stipulates that credit-card-holders have a maximum liability of $50 per card - though many issuers waive even that fee - no such protections exist for debit cards.
In addition, breached businesses such as Omni Hotels do not compensate customers for time spent attempting to clean up any related mess.
POS Malware Epidemic Continues
Security experts say that most POS malware infections could be prevented if hotels and retail chains segmented their networks, audited POS devices before deploying them, changed devices' default account names and passwords, and employed monitoring and anti-malware tools (see Why POS Malware Still Works).
Nevertheless, related infections continue. In the past 12 months, for example, a number of hotels have reported POS malware infections - often affecting their check-in systems, as well as restaurants and bars. Victims have included Hilton, Hyatt and Starwood Hotels and Resorts, as well as Trump Hotels, which potentially fell victim to two separate breaches.
Flashpoint's Barysevich says that the sheer scale of many of these POS malware infections demonstrates just how well-organized many card-stealing groups have become. "Although the penetration of a small business' POS system does not require a high level of sophistication, and can be easily prevented by following established security procedures, the infiltration of dozens or even hundreds of locations, likely via a single point of entry, is not something of which the average cybercriminal is capable," he says. "The ability to do so on a consistent basis, compromising the largest and well-known businesses who possess dedicated security personnel, while remaining undetected for a prolonged period of time, are the hallmarks of a sophisticated operation."
Barysevich says that sophistication extends to all aspects of the attack campaign. "To successfully execute such an operation, careful planning and pre-attack reconnaissance is required," he says. "During this phase, the attackers map the target network infrastructure, move laterally on the network, and learn internal procedures and processes prior to deploying custom and undetectable malware targeting specific payment software, subsequently surreptitiously exfiltrating the targeted data - in this case, payment card information."
Each of those stages represents a point at which the defending organization could potentially spot the hackers at work. But according to cybersecurity firm FireEye's Mandiant division, 53 percent of compromised organizations first learn that they were breached thanks to an external entity.
This story has been updated with comment from Barysevich.