Several financial institutions recently uncovered fraud on credit and debit cards that were all recently used at Marriott hotels run by franchise operator White Lodging Services, according to investigative reporter Brian Krebs.
As was the case with the 2013 breach, Krebs says the recent breach appears to be linked to hacked point of sale systems at restaurants and bars within the hotels.
Customers whose payment card information was stolen in the most recent breach had used their cards at Marriott locations run by White Lodging between September 2014 and January 2015.
“We recently were made aware of the possibility of unusual credit card transactions at a number of hotels operated by one of our franchise management companies,” Marriott spokesman Jeff Flaherty told Krebs. “We understand the franchise company is looking into the matter.”
“Because the suspected issue is related to systems that Marriott does not own or control, we do not have additional information to provide,” Flaherty added.
White Lodging spokesperson Kathleen Sebastian told Krebs the company has hired a security firm to investigate the issue. “To this date, we have found no identifiable infection that would lead us to believe a breach has occurred,” she said. “Our investigation is ongoing.”
Sebastian said that in the time since the 2013 breach, White Lodging has installed a third party managed firewall system, dual-factor authentication, and “various other systems as guided by our third-party cyber security service.”
It’s been a rough few weeks for Marriott — security researcher Randy Westergren also recently discovered that the Marriott International Android app was exposing its users’ reservation data and contact information.
“Marriott was fetching upcoming reservations with a completely unauthenticated request to their web service, meaning one could query the reservations of any rewards member by simply specifying the Membership ID (rewards number),” Westergren wrote in a blog post detailing the vulnerability.
Although Westergren told Forbes the vulnerability had likely been in place for four years, Marriott’s response was impressive — Westergren said the vulnerability was resolved within one day of his informing the company of the flaw.