Cyber Incident Victim: HEI Hotels & Resorts
Date:
Mar 2015
Location:
United States of America
Summary
A cybersecurity incident involving malware at 20 U.S. hotels managed by HEI Hotels & Resorts compromised payment card transactions at on-site facilities such as restaurants, bars, and spas across properties affiliated with Starwood, Marriott, Hyatt, and InterContinental. The malware targeted customer names, payment card numbers, expiration dates, and verification codes, though PIN data remained unaffected. The company engaged external experts to investigate, notified federal authorities, and implemented an isolated payment processing system to mitigate future risks. Impacted locations spanned multiple states, with transaction volumes varying significantly per property.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
HEI Hotels & Resorts disclosed a malware-driven payment card breach on August 14, 2016, impacting 20 U.S. hotels it operated under the Starwood, Marriott, Hyatt, and InterContinental brands. The malware infiltrated point-of-sale systems at hotel restaurants, bars, spas, and retail outlets, with activity confirmed between March 1, 2015, and June 21, 2016. HEI detected the intrusion in early to mid-June 2016 during routine system monitoring. Fourteen properties experienced compromise after December 2, 2015, indicating prolonged attacker access. The malware specifically targeted payment card transactions, capturing customer names, credit/debit card numbers, expiration dates, and card verification codes. PIN data remained unaffected as HEI’s systems did not collect it.
The breach impacted 12 Starwood properties, six Marriott locations, one Hyatt hotel, and one InterContinental Hotels Group facility. High-transaction sites included the Hyatt Centric Santa Barbara (8,000 transactions) and the Tampa InterContinental (12,800 transactions). Affected Starwood properties spanned the Westin hotels in Minneapolis, Pasadena, Philadelphia, Snowmass, Washington D.C., Fort Lauderdale, Arlington, Manchester Village, San Francisco, Miami, and Nashville. Marriott locations included hotels in Boca Raton, Dallas-Fort Worth, Chicago, San Diego, and Minneapolis. HEI engaged third-party cybersecurity experts to investigate the intrusion, isolate the malware, and assess data exposure. The company notified federal law enforcement and implemented a segmented payment processing system to prevent cross-network contamination. No public statements were issued by Marriott or IHG following the disclosure.