Credit Card Readers At Hotels In 10 States, DC May Have Been Hacked

NEW YORK (CBSNewYork/AP) -- An undisclosed number of people who used credit cards at 20 Hyatt, Sheraton, Marriott, Westin and other hotels in 10 states and the District of Columbia may have had their cards compromised as a result of hack of the hotels' payment system.

HEI Hotels & Resorts, which operates just under 60 hotels and resorts under a variety of brands, said that after being notified by its credit card processor of a potential breach, it conducted an internal investigation that found malware on its payment processing systems at the 20 properties. The malware was designed to capture debit and credit card information such as names, card account numbers, card expiration dates and verification codes, as it flowed through the systems.

According to the Norwalk, Connecticut company, the hack potentially affected cards used at point of sale terminals, such as those at the hotels' restaurants and stores, between December 2015 and June 2016. Systems at a few of the affected locations were found to have been infected with the malware as early as March 2015.

For a complete list of the hotels that may have been part of the hack, click here. For a FAQ on the hack, click here.

"Unfortunately, like many other organizations, we recently became aware that several of our properties may have been the victim of a security incident that could have affected the payment card information of certain individuals who used payment cards at point-of-sale terminals, such as food and beverage outlets, at some of our properties," the company said in a message in its website. "We take very seriously our responsibility to keep our customers' information secure, and have mounted a thorough response to investigate and resolve this incident, bolster our data security, and support our customers.  We are pleased to report that the incident has now been contained and individuals can safely use payment cards at all of our properties. We are sorry for any concern or frustration that this incident may cause."

Retailers and other companies that deal with large numbers of credit cards have become popular targets for hackers looking to make a quick buck by collecting and selling the information on the internet in bulk. A couple years ago, massive breaches involving the thefts of millions of card numbers at retailers such as Target, Home Depot and Neiman Marcus grabbed headlines. And in in Target's case, its breach ultimate led to the departure of its CEO.

Among the hotel chains, Hilton Worldwide, Trump Hotel Collection and Starwood Hotels & Resorts have all confirmed POS system breaches within the past year or so. More recently, fast food chains Wendy's and Cici's Pizza acknowledged breaches of their systems in the past few months.

Yet the black market value of credit card numbers has tumbled, largely as a result of better fraud prevention technology that allows banks to spot and stop bad transactions faster. As a result, many thieves have moved on to target more lucrative information such as health care data.

HEI said in its notice to consumers that once it found out about the breach of its systems it transitioned payment card processing to a stand-alone system that's completely separate from the rest of its network. It disabled the malware and is in the process of reconfiguring various components of its network and payment systems to make them more secure.

The company said in its statement that it's continuing to cooperate with the law enforcement investigation and coordinating with banks and payment card companies. It added that the breach has been contained and customers can safely use cards at all of its properties. HEI officials didn't immediately return a call seeking additional comment.

HEI advised anyone who used a card at the hotels in question during the given time frame to review their account statements and look for discrepancies or unusual activity, both over the past several months and going forward. Customers who notice anything out of place should contact their card issuer.

As with any breach, consumers are not liable for fraudulent charges on their credit cards. And once a breach such as this is disclosed, as a precaution, banks will often automatically issue new cards to any of their customers that potentially could be affected.

(TM and © Copyright 2016 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2016 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)