Cyber Incident Victim: White Lodging Services Corporation
Date:
Jan 2015
Location:
United States of America
Summary
A cybersecurity incident involving a franchise management company operating Marriott properties led to fraudulent transactions on customer credit and debit cards, marking the second such occurrence. Financial institutions traced card compromises to point-of-sale systems in food and beverage outlets at multiple hotel locations, with patterns resembling a prior breach. The company initiated a forensic investigation but reported no confirmed evidence of a new compromise. It cited enhanced security measures including third-party firewalls, multi-factor authentication, and partial tokenization of payment systems, with plans to complete tokenization across all terminals. While tokenization reduces PCI compliance scope by replacing card data with valueless tokens, experts noted it does not prevent malware from capturing card information before tokenization. The incident highlighted ongoing challenges in securing payment environments, particularly where delayed transaction finalization necessitates temporary card data storage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2014, multiple financial institutions identified fraudulent activity on customer credit and debit cards traced to Marriott properties managed by White Lodging Services Corporation. On January 31, 2014, initial reports indicated a breach at select White Lodging locations, which the company confirmed three days later. The investigation revealed hackers had installed malicious software on cash registers within food and beverage outlets at 14 properties nationwide, enabling theft of customer card data over approximately nine months. By late January 2015, banks again detected patterns of counterfeit card fraud linked to cards recently used at White Lodging-managed Marriott hotels across multiple states, including locations in Austin, Texas; Bedford Park, Illinois; Denver, Colorado; Indianapolis, Indiana; and Louisville, Kentucky. Financial institutions indicated the fraudulent transactions stemmed from card data compromised between mid-September 2014 and January 2015, with evidence suggesting the attackers again targeted point-of-sale systems in hotel restaurants, bars, and gift shops. White Lodging initiated a forensic audit in response to the 2015 reports but stated preliminary findings showed no identifiable malware or breach indicators. Marriott Corporation clarified that the affected properties were franchise locations operated by White Lodging, emphasizing the compromised systems were outside Marriott’s direct control.
White Lodging disclosed it had implemented several security enhancements following the 2014 breach, including third-party managed firewalls, dual-factor authentication for critical systems, and additional measures guided by cybersecurity consultants. Marriott announced it was nearing completion of a tokenization rollout for its U.S.-managed properties, replacing stored card data with valueless tokens to reduce breach risks. White Lodging confirmed its front-desk systems already used tokenization, while payment terminals in other hotel areas were transitioning to the technology with completion expected by mid-2015. Security analysts noted tokenization primarily simplified compliance with Payment Card Industry standards by reducing audit requirements but did not address malware-based theft of card data during transaction processing. Industry reports highlighted point-to-point encryption as a more secure alternative, though cost and vendor lock-in concerns led many merchants, including hotels, to favor tokenization. Concurrently, U.S. merchants were adopting EMV-chip card readers to combat counterfeit card fraud, though integration challenges arose when combining EMV with existing tokenization frameworks like those used in mobile payment systems. The incidents underscored persistent vulnerabilities in point-of-sale environments despite evolving payment security technologies.