The hotel industry is the next big target for cyber criminals, experts have warned, after Hilton became the fourth major hotel group to have customers’ credit card details hacked.

Hilton Hotels, Starwood Hotels & Resorts, Mandarin Oriental and the Trump Collection have all admitted that their payments systems were compromised this year as hackers hunting for credit card details switch their attention to the leisure industry. This week Hilton and Starwood said guests’ personal details had been taken after hackers gained access via payment systems.

Hilton said customer data had been accessed over 17 weeks, from November 18 to December 5, 2014 or April 21 to July 27, 2015.

“The reality is the sector as a whole is dealing with a cyber crime wave,” said Tom Kellermann, chief cyber security officer at Trend Micro, which sells security software. “Customers should be very concerned because in general the industry has insufficiently invested in cyber security.”

Hackers managed to plant viruses into the hotel companies’ point-of-sale systems, and some of the data stolen may not have been encrypted, according to Mr Kellermann. Trend Micro identified one virus, called MalumPoS, which targets Oracle’s Micros platform, a system used at more than 330,000 sites throughout the hotel and leisure industry by companies including InterContinental Hotels, Travelodge, Hyatt, Wyndham, and Accor.

“This type of virus can compromise 95 per cent of the POS systems on the planet,” said Mr Kellermann. The virus disguises itself as a legitimate program and then scrapes through systems to hunt for credit card details. Hilton, Starwood and Oracle declined to comment.

The widespread use of the same strain of malware suggests that the attacks may have been carried out by organised criminals, who then either sell databases of customer credit card details on to fraudsters or conduct the fraud themselves. Credit card details sometimes are not used for months after they have been stolen or even until after the free credit monitoring often offered by companies expires to lull victims into a false sense of security.

Hackers have turned their attention to hotels after retailers began improving their security following a series of high-profile attacks on US chains in late 2013 and 2014, including breaches at Target and Home Depot. Justin Harvey, chief security officer at Fidelis Cybersecurity, a US threat detection company, said customers would be worried because enough details may have been stolen to complete a purchase — and potentially in two separate incidents.

Details included cardholder names, payment card numbers, security codes and expiration dates, but no addresses or personal identification numbers. “POS systems have been targeted by con artists for years and malware, which strips away consumer data, is only the latest in this form of attack,” Mr Harvey said.

Lane Thames, a security researcher at Tripwire, added: “If a company has any type of payment processing system, then rest assured someone somewhere has or will eventually try to find a way to break in to steal valuable payment-related information.” Stuart Poole-Robb, chief executive of cyber security and business intelligence advisers KCS Group, also said the hotel industry was “behind on the issue”.

“Their IT security is only just catching up. Hoteliers don’t take much notice of hackers sitting in their lounges hacking guests’ WiFi,” he said. “Vulnerable hotels are Sheraton, Hyatt and Ritz-Carlton. They could all do more than they have done thus far. The less well known hotel groups, second division so to speak, in the major capitals are in an even worse state.”

Mr Kellermann said that only Marriott had taken cyber security seriously and urged it to conduct due diligence on the matter as part of its acquisition of Starwood. “They need to conduct a compromise assessment of the entity that they are going to acquire — what malware is already living in Starwood. Is the target is already diseased?” he said

Source: http://www.ft.com/cms/s/0/82b782fc-9515-11e5-ac15-0f7f7945adba.html#axzz3soptDY00