Cyber Incident Victim: Marriott
Date:
Mar 2015
Location:
United States of America
Summary
A cybersecurity incident involving malware at properties managed by HEI Hotels & Resorts compromised payment card data across multiple hotel brands, including Marriott. The malicious software targeted point-of-sale systems at restaurants, bars, spas, and retail facilities within 20 U.S. hotels, potentially exposing customer names, card numbers, expiration dates, and verification codes—though PINs remained unaffected due to system limitations. The breach impacted 12 Starwood properties, six Marriott locations, one Hyatt, and one InterContinental hotel, with varying transaction volumes observed at individual sites. HEI engaged external investigators, notified federal authorities, and subsequently implemented an isolated payment processing system to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between March 1, 2015, and June 21, 2016, a malware infection compromised payment systems across 20 U.S. hotels managed by HEI Hotels & Resorts under brands including Starwood, Marriott, Hyatt, and InterContinental Hotels Group (IHG). The malware targeted point-of-sale systems at hotel restaurants, bars, spas, lobby shops, and other guest facilities, capturing payment card data during transactions. HEI detected the malware in early to mid-June 2016 during an internal investigation. The breach impacted 12 Starwood properties, six Marriott locations, one Hyatt hotel, and one IHG hotel, with 14 of these hotels experiencing exposure after December 2, 2015. Transaction volumes varied significantly by property, with approximately 8,000 affected transactions at the Hyatt Centric Santa Barbara and 12,800 at the Tampa IHG InterContinental. HEI stated the total number of affected customers was indeterminable due to potential card reuse across multiple stays or purchases.
HEI engaged external cybersecurity experts to investigate the incident, confirming attackers potentially accessed customer names, payment card account numbers, expiration dates, and card verification codes. PIN data remained uncompromised as HEI’s systems did not collect it. The company notified federal law enforcement agencies and replaced the compromised payment processing infrastructure with an isolated system segmented from its primary network. Affected properties included Starwood’s Westin hotels in Minneapolis, Pasadena, Philadelphia, Snowmass, Washington D.C., and Fort Lauderdale, alongside Starwood locations in Arlington, Manchester Village, San Francisco, Miami, and Nashville. Marriott-branded impacted sites spanned Boca Raton, Dallas-Fort Worth, Chicago, San Diego, and Minneapolis. HEI publicly disclosed the breach on August 14, 2016, via its website and press communications, though Marriott and IHG declined to comment on the incident. No further operational disruptions or long-term financial impacts were detailed in the disclosure.