Starwood Hotels and Resorts reported that it was the victim of data breaches affecting its properties in the United States and Canada. Starwood owns the Sheraton, Westin, St. Regis and W hotel brands.
Different Starwood hotels were affected for varying periods of time, with the earliest breach likely occurring on Nov. 5, 2014, at the Walt Disney World Dolphin, Sheraton hotel. Other locations, such as the Sheraton Boston, Dallas and Denver hotels, were affected starting on March 2 of this year. The breaches were all contained inside of June 30.
Starwood stated in a notice to customers that as soon as the issue was discovered, the hotel chain started to work with third-party forensic experts to investigate.
"We do not know who did this," a Starwood spokesperson told eWEEK. "We are working closely with law-enforcement authorities to help identify the criminals."
The malware affected point-of-sale systems at a 54 Starwood hotel locations. The attackers gained access to credit card information, including cardholder name, card number, security code and expiration dates.
"The malware no longer presents a threat to customers using payment cards at our hotels," the spokesperson said. "We continually assess our security practices based on the current threat environment and are focused on addressing this issue."
Security experts eWEEK contacted were somewhat surprised at the amount of time it took for Starwood to disclose the breach, as well as the timing of the disclosure.
"It's very concerning that it took such a long time to disclose it—five or six months," Andy Hayter, security evangelist at G DATA, told eWEEK. "From what Starwood disclosed, the reservation system was not impacted, which is probably the only positive news coming out of this massive breach."
JP Bourget, CEO of Syncurity, a Mach37 company, is particularly concerned about the timing of the Starwood disclosure. Marriott International recently agreed to acquire Starwood for $12.2 billion.
"I suspect in the future these sorts of breaches may have an economic impact on merger and acquisition deals in progress," Bourget said.
Scott Petry, CEO of Authentic8, commented that the unfortunate reality is that breaches are a fact of life. As such, people should expect them to occur and take steps to protect themselves.
"This is yet another example of how even major brands with plentiful resources can be breached," Petry said. "Criminals may target specific large brands and make the news, but the majority of breaches happen through malware infections and broad exploits that indiscriminately attack users from even the smallest organizations—and these organizations clearly don't have the resources to detect or remediate breaches effectively."
For consumers, the Starwood breach serves as yet another potential risk to credit cards and personal information.
Wayne Crowder, director of threat intelligence at RiskAnalytics, commented that consumers in this day and age need to be watching and questioning suspicious charges on their accounts.
"The consumer and banks in many instances are the first to discover fraud from stolen credit or debit cards," Crowder said.
Bourget suggested that consumers not use debit cards to make purchases since the potential liability for not noticing fraud quickly is higher than with a credit card. He also suggests that consumers choose a credit card provider that allows them to set up alerts on transactions over a certain dollar amount.
Hayter also emphasized the need to monitor all credit card transactions. "Many bad guys will use small transactions first to see if an account works or if it is being monitored," Hayter said. "If they feel comfortable with the account, they will then spend big on your behalf, stealing all your money and savings."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.