A massive POS breach has been reported by HEI Hotels and Resorts that run Hyatt, Marriott, Starwood and Intercontinental properties.

The malware is thought to have been on their point-of-sale machines from March 1, 2015 through June 21, 2016 and will impact thousands and thousands of customers. The malware was designed to lift payment card data—including name, payment card account number, card expiration date and verification code.

HEI Hotels and Resorts issued a statement: “Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems.”

"The security of a system as a whole is as strong as the strength of its weakest link,” said Giovanni Vigna, Lastline co-founder and CTO. “That’s why complex systems that handle sensitive information should have multiple levels of protections to ensure that no device can be infected. PoS malware is particularly hard to detect because often PoS systems do not have in-host endpoint protection. In these cases, network-level protection systems become paramount."

It is unknown what the cyber crooks will do with the stolen data, but it likely will end up for sale on the dark web.

Source: InfoSecurity