Millennium Hotels & Resorts North America Warns of POS Breach
Millennium Hotels & Resorts North America (MHR) said it is aware of a data security incident involving food and beverage point-of-sale systems at 14 of its hotels in the United States.
The company advises customers to review their payment card account statements closely and to report unauthorized charges to their card issuer immediately. Payment card rules generally provide that cardholders are not responsible for unauthorized charges that are reported in a timely manner.
The company has engaged third-party cyber forensic experts to investigate the incident. To date, the investigation has not identified the presence of “malware” on any MHR systems. Initial information suggests that the incident affected point-of-sale systems that processed customer card payments — primarily within food and beverage facilities operating at the hotels — between early March and mid-June.
MHR originally was notified of the incident by the U.S. Secret Service and said it took immediate steps to investigate and isolate the card processing elements of the affected point-of-sale systems, which were promptly taken offline.
Subsequently, MHR was notified by a third-party service provider — that supplies and services the affected point-of-sale systems — that it had detected and addressed malicious code in certain of its legacy point-of-sale systems, including those used by MHR. MHR immediately adopted additional security measures as recommended by the third-party service provider.
The affected point-of-sale systems are separate from other MHR systems, including MHR’s hotel property management and booking systems. The results from MHR’s current investigation do not indicate compromise of those other systems.
“We urge customers who visited our U.S. hotels between early March and the end of June this year to check their payment card records and to report dubious transactions to their card operators immediately," said Shaun Treacy, president, North America, MHR. "We also urge customers to take advice from their card operators on any further recommended security precautions. The Millennium Hotels & Resorts team, above all, values its customer relationships and is committed to protecting customers’ payment card information. Since being informed of this incident, we have taken a number of steps to ensure that this commitment is met in full.”
The company advises customers to review their payment card account statements closely and to report unauthorized charges to their card issuer immediately. Payment card rules generally provide that cardholders are not responsible for unauthorized charges that are reported in a timely manner.
The company has engaged third-party cyber forensic experts to investigate the incident. To date, the investigation has not identified the presence of “malware” on any MHR systems. Initial information suggests that the incident affected point-of-sale systems that processed customer card payments — primarily within food and beverage facilities operating at the hotels — between early March and mid-June.
MHR originally was notified of the incident by the U.S. Secret Service and said it took immediate steps to investigate and isolate the card processing elements of the affected point-of-sale systems, which were promptly taken offline.
Subsequently, MHR was notified by a third-party service provider — that supplies and services the affected point-of-sale systems — that it had detected and addressed malicious code in certain of its legacy point-of-sale systems, including those used by MHR. MHR immediately adopted additional security measures as recommended by the third-party service provider.
The affected point-of-sale systems are separate from other MHR systems, including MHR’s hotel property management and booking systems. The results from MHR’s current investigation do not indicate compromise of those other systems.
“We urge customers who visited our U.S. hotels between early March and the end of June this year to check their payment card records and to report dubious transactions to their card operators immediately," said Shaun Treacy, president, North America, MHR. "We also urge customers to take advice from their card operators on any further recommended security precautions. The Millennium Hotels & Resorts team, above all, values its customer relationships and is committed to protecting customers’ payment card information. Since being informed of this incident, we have taken a number of steps to ensure that this commitment is met in full.”