Cyber Incident Victim: Omni Hotels & Resorts
Date:
Dec 2015
Location:
United States of America
Summary
Omni Hotels & Resorts experienced a malware infection targeting point-of-sale systems across numerous North American properties, compromising payment card details such as cardholder names, numbers, security codes, and expiration dates. The breach impacted guests who physically presented cards at affected locations, with stolen data subsequently sold online and used for fraudulent purchases. Following discovery of the intrusion, the organization engaged cybersecurity firms to contain the incident and implemented enhanced system protections. Affected individuals were offered complimentary identity protection services for one year.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Omni Hotels & Resorts publicly disclosed a point-of-sale malware infection impacting payment systems across multiple properties in North America. The malware, designed to harvest payment card details including cardholder names, credit/debit card numbers, security codes, and expiration dates, was discovered during an investigation launched on May 30, 2016. Forensic analysis revealed the intrusion affected 49 of Omni's 60 North American hotels, with varying infection periods across locations. While some systems were compromised as early as December 23, 2015, and others as late as June 14, 2016, most properties experienced a narrower window of exposure. The breach exclusively impacted guests who physically presented payment cards at affected hotel locations during active malware periods. Over 50,000 stolen payment card numbers linked to the incident were subsequently offered for sale on cybercriminal forums by an actor using the alias JokerStash, with Flashpoint researchers confirming fraudulent purchases using the compromised data had occurred since February 2016.
Upon detecting the intrusion, Omni Hotels engaged cybersecurity firms approved by major credit card networks to investigate and contain the incident. The company confirmed malware removal and system remediation by June 2016, stating they had implemented additional security measures to strengthen their infrastructure. Impacted guests received notifications and were offered complimentary one-year subscriptions to AllClear ID identity protection services. The breach did not affect all Omni properties, and the company emphasized that online reservations or payments made through non-compromised channels remained secure. No evidence suggested unauthorized access to Omni's central reservation system or guest databases beyond the point-of-sale terminals targeted by the malware. The incident highlighted risks associated with payment system vulnerabilities, particularly in hospitality environments processing high volumes of card-present transactions during peak travel periods.