Hilton Worldwide Holdings Inc. said Tuesday it has cleaned up a strain of malicious software accessing customer information 17 weeks this year. Attackers targeted the hotel chain’s point-of-sale systems to sweep up customers’ names, as well as their credit-card numbers, security codes and expiration dates.
The breach may have affected customers between April 21 and July 27 of this year or between Nov. 18 and Dec. 5 of last year, the company said. It’s unclear how many of the hotel’s 4,500 locations were affected by the hack, and the firm is asking all customers who stayed at a Hilton property during those period to review their payment records and watch for potential fraud. The breach was first reported by cybersecurity journalist Brian Krebs in September. According to Hilton, it has “strengthened its systems” against outsiders since the breach.
“Hilton Worldwide is strongly committed to protecting customers’ payment-card information, and we sincerely regret any inconvenience this may have caused customers,” Hilton said in a statement. “Hilton Worldwide worked closely with third-party forensics experts, law enforcement and payment-card companies on this investigation, and determined that specific payment-card information was targeted by this malware.”
The announcement of the Hilton breach came five days after Starwood Hotel & Resorts Worldwide Inc. announced its own breach, which lasted nearly six months. Mandarin Oriental, Trump Hotel Collection, and the White Lodging hotel chain also confirmed breaches this year.