Editor’s note: This timeline has been updated to include an update to an earlier breach reported by InterContinental Hotels Group and a Sabre Hospitality Solutions breach that affected several hotel companies.
GLOBAL REPORT—Hackers continue to target the hospitality industry with sophisticated attacks on secured data. More than a dozen data breaches have been reported by hotels since 2010, affecting everything from major multinational corporations to single properties.
Here is a roundup of the widely reported data security attacks on the hotel industry since 2010. This list will be updated as more breaches are confirmed.
Sabre Hospitality Solutions
When: Announced starting 6 July
What happened: Multiple hotel companies, including Hard Rock Hotels & Casinos, Four Seasons Hotels and Resorts, Trump Hotels and Loews Hotels, reported a data breach via a third-party reservations system provided by Sabre Hospitality Solutions. Sabre notified the companies in June of the breach, which granted unauthorized access to credit card information and some reservation information between August 2016 and March 2017.
Hard Rock reported 11 properties in the U.S., Mexico and Caribbean regions were affected by the breach. Trump Hotels reported 14 properties in the U.S., United Kingdom, Ireland, Canada and South America were affected by the breach. Loews Hotels notified guests that 21 properties in the U.S. and Canada were affected by the data breach.
Four Seasons did not provide a list of properties affected but specified in a news release that “reservations made on Fourseasons.com, with Four Seasons’ Worldwide Reservations Office, or made directly with any of Four Seasons’ 105 hotels or resorts were not compromised by this incident.”
InterContinental Hotels Group
When: First announced 3 February, updated in April
What happened: IHG’s Americas division confirmed food-and-beverage outlets at 12 U.S. hotels were hit by a data breach between 1 August and 20 December 2016, according to a news release. Company officials said malware was installed on the servers of payment card processers of restaurants at IHG-managed hotels in the U.S. and Canada.
Then, in April, data security blog KrebsonSecurity reported the breadth of IHG’s credit card breach had extended from 12 properties to more than 1,000 hotels in the U.S. and Puerto Rico. “According to a statement released by IHG, the investigation ‘identified signs of the operation of malware designed to access payment card data from cards used on-site at front desks at certain IHG-branded franchise locations between 29 September 2016 and 29 December 2016,” the news site reported.
When: Announced 5 September
What happened: The Nashville hotel notified customers of a data breach that could have affected guests who booked a stay at the property between 19 September 2012 and 16 April 2015. Point-of-sales systems at the Hutton were also targeted for a majority of that time period and also between 12 August 2015 and 10 June 2016.
Noble House Hotels & Resorts
When: Announced 2 September
What happened: The Kirkland, Washington-based hotel company initiated an investigation that found malware at nine U.S. properties that put guest credit card data at risk between 25 April and 3 August 2016. This data breach was the second in two years reported by Noble House; the company previously notified customers of a separate attack on 13 November 2015.
Millennium Hotels & Resorts
When: Announced 26 August
What happened: Millennium’s North America office based in Boulder, Colorado, notified customers that 14 U.S. hotels in the company’s portfolio were hit with a data security attack between early March and mid-June 2016. Hackers targeted F&B point-of-sales systems but did not infiltrate Millennium’s property management or booking systems, according to a news release.
Kimpton Hotels & Restaurants
When: Announced 26 July
What happened: After being contacted by data security blog KrebsonSecurity in response to rumors of a potential breach, Kimpton officials confirmed the company had been targeted by hackers by releasing a statement on its website. At the end of August, Kimpton relayed more information about the attack, which reportedly occurred between 16 February and 7 July 2016. Hackers reportedly used malware to scrape information from guest credit cards.
Omni Hotels & Resorts
When: Announced 8 July
What happened: The Dallas-based hotel company discovered on 30 May that a malware attack had targeted credit card information at point-of-sales systems at various Omni properties between 23 December 2015 and 14 June 2016, according to a letter to guests posted on the company’s website. The Dallas Morning News reported Omni officials confirmed “more than 50,000 customer credit and debit cards” at 49 properties were affected by the breach.
Hard Rock Hotel & Casino Las Vegas
When: Announced 5 July
What happened: The Las Vegas resort discovered a breach in its payment card system on 13 May after investigating reports of fraudulent activity with payment cards used at the property, according to a company news release.
Card-scraping malware that targeted cardholder names, card numbers, expiration dates and verification codes was found at the Hard Rock’s restaurant and retail outlet payment systems. Guests who stayed at the resort between 27 October 2015 and 21 March 2016 could have been affected.
Trump Hotel Collection
When: Announced 4 April
What happened: According to technology security blog KrebsonSecurity, unnamed sources identified “a pattern of fraud on customer credit cards, which suggests hackers have breached credit card systems at some—if not all—of the Trump Hotel Collection properties.” Dates of the breach and properties affected have not yet been specified.
Trump officials released a statement to HNN attributed to Eric Trump, EVP of development and acquisitions for The Trump Organization, who said the company is investigating the breach with law enforcement and is “committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”
Rosen Hotels & Resorts
When: Announced 4 March
What happened: According to a news release from Orlando, Florida-based Rosen Hotels & Resorts, the company was told on 3 February that guests who had stayed at Rosen properties were notified of unauthorized credit card charges. The breach may have affected all company properties between 2 September 2014 and 18 February 2016, according to the release. The company has seven Florida hotels in its portfolio, including six in Orlando.
Hyatt Hotels Corporation
When: Announced 23 December
What happened: Hyatt announced a data breach that occurred on 30 November 2015, but few details were released at the time. On 15 January 2016, Hyatt officials confirmed hackers targeted payment card data from cards used onsite at 250 Hyatt locations, primarily restaurants, between 13 August 2015 and 8 December 2015.
Hilton Worldwide Holdings
When: Announced 24 November
What happened: According to a letter posted on Hilton’s website and written by EVP of global brands Jim Holthouser, a data security attack affected payment systems at Hilton properties from 18 November to 5 December 2014 and 21 April to 27 July 2015. The company released a data breach FAQ but did not specify how many guests were affected. Hilton officials did not specify which properties that were targeted.
Starwood Hotels & Resorts Worldwide
When: Announced 20 November
What happened: According to a company news release, point-of-sale systems at more than 70 Starwood properties in North America were infected with malware. The affected dates varied by properties, but all told, the attack on the company occurred between 7 November 2014 and 30 June 2015. Officials said guest reservation and loyalty systems were not affected in the attack.
Noble House Hotels and Resorts
When: Announced 13 November
What happened: The breach affected six properties in Florida, California, Colorado and Washington over different time periods, starting 29 December 2014 through 11 August 2015 according to a Noble news release. Malware installed on payment systems at the affected properties downloaded guest information from the magnetic strip on credit cards.
When: Announced 5 October
What happened: Hackers targeted guest credit card information at seven Trump hotels between 19 May 2014 and 2 June 2015, according to the New York-based company. The affected properties included two hotels in New York, along with properties in Miami, Chicago, Hawaii, Las Vegas and Toronto. Trump officials said there was no evidence any guest information was removed from their data systems, but all news regarding the incident was released as a precaution.
Mandarin Oriental Hotel Group
When: Announced 5 March
What happened: Mandarin’s credit card system was compromised by malware. Ten properties across the globe were affected between 18 June 2014 and 12 March 2015. After first confirming the breach in March, the company issued a news release several months later that claimed there was no evidence of identity fraud among affected guests.
White Lodging Services Corporation
When: Announced 5 February, more details released 8 April
What happened: The data breach affected point-of-sales systems at food-and-beverage outlets at 10 White Lodging properties between 3 July 2014 and 6 February 2015. Nine of the 10 affected properties were Marriott brands. This was White Lodging’s second data breach since the beginning of 2014.
Houstonian Hotel Club & Spa
When: First reported 8 July
What happened: According The Houston Chronicle, it was not known how many customers or transactions at the property’s payment systems were affected, but approximately 10,000 customers between 28 December 2013 and 20 June 2014 were at risk of identity fraud.
White Lodging Services Corporation
When: Announced 3 February
What happened: White Lodging reported that point-of-sale systems at 14 of its properties in the U.S.—mostly falling under the , Renaissance and Holiday Inn brands—had been breached between 20 March and 16 December of 2013. In most instances, F&B point-of-sale systems were affected, but in one case a hotel’s property-management system was also affected. The company launched a review with federal law enforcement officials and initiated a third-party forensic review.
When: Announced 2 September
What happened: The data security attack targeted guest credit card transactions made at 10 HEI hotels between 25 March and 10 April. The affected hotels included both Marriott and Starwood brands in California, Michigan, Florida and others.
Westin Bonaventure Hotel and Suites in Los Angeles
When: Announced 8 March
What happened: Hackers targeted guest credit card information at the Los Angeles hotel’s four restaurants and valet services between April and December 2009.
Wyndham Worldwide Corporation
When: Three separate breaches between April 2008 and January 2010
What happened: Wyndham hotels were hit with data security attacks three times between April 2008 and January 2010, which resulted in nearly $11 million in identity fraud, according to Reuters. The Federal Trade Commission pursued legal action against Wyndham in 2012 but both parties settled the case on 9 December 2015, with Wyndham agreeing to an FTC consent order and the company was absolved of paying any monetary damages.
Compiled by Dan Kubacki.