Timeline: The growing number of hotel data breaches
Timeline: The growing number of hotel data breaches
13 JULY 2017 8:05 AM

Editor’s note: This timeline has been updated to include an update to an earlier breach reported by InterContinental Hotels Group and a Sabre Hospitality Solutions breach that affected several hotel companies.

GLOBAL REPORT—Hackers continue to target the hospitality industry with sophisticated attacks on secured data. More than a dozen data breaches have been reported by hotels since 2010, affecting everything from major multinational corporations to single properties.

Here is a roundup of the widely reported data security attacks on the hotel industry since 2010. This list will be updated as more breaches are confirmed.


Sabre Hospitality Solutions

When: Announced starting 6 July

What happened: Multiple hotel companies, including Hard Rock Hotels & Casinos, Four Seasons Hotels and Resorts, Trump Hotels and Loews Hotels, reported a data breach via a third-party reservations system provided by Sabre Hospitality Solutions. Sabre notified the companies in June of the breach, which granted unauthorized access to credit card information and some reservation information between August 2016 and March 2017.

Hard Rock reported 11 properties in the U.S., Mexico and Caribbean regions were affected by the breach. Trump Hotels reported 14 properties in the U.S., United Kingdom, Ireland, Canada and South America were affected by the breach. Loews Hotels notified guests that 21 properties in the U.S. and Canada were affected by the data breach.

Four Seasons did not provide a list of properties affected but specified in a news release that “reservations made on Fourseasons.com, with Four Seasons’ Worldwide Reservations Office, or made directly with any of Four Seasons’ 105 hotels or resorts were not compromised by this incident.”

InterContinental Hotels Group

When: First announced 3 February, updated in April

What happened: IHG’s Americas division confirmed food-and-beverage outlets at 12 U.S. hotels were hit by a data breach between 1 August and 20 December 2016, according to a news release. Company officials said malware was installed on the servers of payment card processers of restaurants at IHG-managed hotels in the U.S. and Canada.

Then, in April, data security blog KrebsonSecurity reported the breadth of IHG’s credit card breach had extended from 12 properties to more than 1,000 hotels in the U.S. and Puerto Rico. “According to a statement released by IHG, the investigation ‘identified signs of the operation of malware designed to access payment card data from cards used on-site at front desks at certain IHG-branded franchise locations between 29 September 2016 and 29 December 2016,” the news site reported.

The InterContinental Toronto Yorkville was one of the 12 IHG-managed properties affected by a data breach that was announced 3 February. Guests who used credit cards at F&B outlets at InterContinental Toronto Yorkville between 1 August and 28 November may be at risk. (Photo: InterContinental Hotels Group)


Hutton Hotel

When: Announced 5 September

What happened: The Nashville hotel notified customers of a data breach that could have affected guests who booked a stay at the property between 19 September 2012 and 16 April 2015. Point-of-sales systems at the Hutton were also targeted for a majority of that time period and also between 12 August 2015 and 10 June 2016.

Noble House Hotels & Resorts

When: Announced 2 September

What happened: The Kirkland, Washington-based hotel company initiated an investigation that found malware at nine U.S. properties that put guest credit card data at risk between 25 April and 3 August 2016. This data breach was the second in two years reported by Noble House; the company previously notified customers of a separate attack on 13 November 2015.

Millennium Hotels & Resorts

When: Announced 26 August

What happened: Millennium’s North America office based in Boulder, Colorado, notified customers that 14 U.S. hotels in the company’s portfolio were hit with a data security attack between early March and mid-June 2016. Hackers targeted F&B point-of-sales systems but did not infiltrate Millennium’s property management or booking systems, according to a news release.

Kimpton Hotels & Restaurants

When: Announced 26 July

What happened: After being contacted by data security blog KrebsonSecurity in response to rumors of a potential breach, Kimpton officials confirmed the company had been targeted by hackers by releasing a statement on its website. At the end of August, Kimpton relayed more information about the attack, which reportedly occurred between 16 February and 7 July 2016. Hackers reportedly used malware to scrape information from guest credit cards.

Omni Hotels & Resorts

When: Announced 8 July

What happened: The Dallas-based hotel company discovered on 30 May that a malware attack had targeted credit card information at point-of-sales systems at various Omni properties between 23 December 2015 and 14 June 2016, according to a letter to guests posted on the company’s website. The Dallas Morning News reported Omni officials confirmed “more than 50,000 customer credit and debit cards” at 49 properties were affected by the breach.


Hard Rock Hotel & Casino Las Vegas

When: Announced 5 July

What happened: The Las Vegas resort discovered a breach in its payment card system on 13 May after investigating reports of fraudulent activity with payment cards used at the property, according to a company news release.

Card-scraping malware that targeted cardholder names, card numbers, expiration dates and verification codes was found at the Hard Rock’s restaurant and retail outlet payment systems. Guests who stayed at the resort between 27 October 2015 and 21 March 2016 could have been affected.

Trump Hotel Collection

When: Announced 4 April

What happened: According to technology security blog KrebsonSecurity, unnamed sources identified “a pattern of fraud on customer credit cards, which suggests hackers have breached credit card systems at some—if not all—of the Trump Hotel Collection properties.” Dates of the breach and properties affected have not yet been specified.

Trump officials released a statement to HNN attributed to Eric Trump, EVP of development and acquisitions for The Trump Organization, who said the company is investigating the breach with law enforcement and is “committed to safeguarding all guests’ personal information and will continue to do so vigilantly.” 

Rosen Hotels & Resorts

When: Announced 4 March

What happened: According to a news release from Orlando, Florida-based Rosen Hotels & Resorts, the company was told on 3 February that guests who had stayed at Rosen properties were notified of unauthorized credit card charges. The breach may have affected all company properties between 2 September 2014 and 18 February 2016, according to the release. The company has seven Florida hotels in its portfolio, including six in Orlando. 


Hyatt Hotels Corporation

When: Announced 23 December

What happened: Hyatt announced a data breach that occurred on 30 November 2015, but few details were released at the time. On 15 January 2016, Hyatt officials confirmed hackers targeted payment card data from cards used onsite at 250 Hyatt locations, primarily restaurants, between 13 August 2015 and 8 December 2015. 

The Hyatt Regency Buffalo/Hotel and Conference Center in Buffalo, New York, was one of the 250 Hyatt properties hit during a data breach between 13 August 2015 and 8 December 2015. (Photo: Hyatt Hotels Corporation)


When: Announced 24 November

What happened: According to a letter posted on Hilton’s website and written by EVP of global brands Jim Holthouser, a data security attack affected payment systems at Hilton properties from 18 November to 5 December 2014 and 21 April to 27 July 2015. The company released a data breach FAQ but did not specify how many guests were affected. Hilton officials did not specify which properties that were targeted. 

Starwood Hotels & Resorts Worldwide

When: Announced 20 November

What happened: According to a company news release, point-of-sale systems at more than 70 Starwood properties in North America were infected with malware. The affected dates varied by properties, but all told, the attack on the company occurred between 7 November 2014 and 30 June 2015. Officials said guest reservation and loyalty systems were not affected in the attack.

Noble House Hotels and Resorts

When: Announced 13 November

What happened: The breach affected six properties in Florida, California, Colorado and Washington over different time periods, starting 29 December 2014 through 11 August 2015 according to a Noble news release. Malware installed on payment systems at the affected properties downloaded guest information from the magnetic strip on credit cards. 

Guests who stayed at the Mountain Lodge Telluride in Telluride, Colorado, between 29 December 2014 and 27 May 2015 were at risk of credit card fraud as Noble House Hotels and Resorts experienced a data breach at six properties between December 2014 and August 2015. (Photo: Mountain Lodge Telluride)
Trump Hotel Collection

When: Announced 5 October

What happened: Hackers targeted guest credit card information at seven Trump hotels between 19 May 2014 and 2 June 2015, according to the New York-based company. The affected properties included two hotels in New York, along with properties in Miami, Chicago, Hawaii, Las Vegas and Toronto. Trump officials said there was no evidence any guest information was removed from their data systems, but all news regarding the incident was released as a precaution.

Mandarin Oriental Hotel Group

When: Announced 5 March

What happened: Mandarin’s credit card system was compromised by malware. Ten properties across the globe were affected between 18 June 2014 and 12 March 2015. After first confirming the breach in March, the company issued a news release several months later that claimed there was no evidence of identity fraud among affected guests.

White Lodging Services Corporation

When: Announced 5 February, more details released 8 April

What happened: The data breach affected point-of-sales systems at food-and-beverage outlets at 10 White Lodging properties between 3 July 2014 and 6 February 2015. Nine of the 10 affected properties were Marriott brands. This was White Lodging’s second data breach since the beginning of 2014. 

The Louisville Marriott Downtown was one of 10 White Lodging Service Corporation properties affected by a data security breach between 3 July 2014 and 6 February 2015. (Photo: Louisville Marriott Downtown)


Houstonian Hotel Club & Spa

When: First reported 8 July

What happened: According The Houston Chronicle, it was not known how many customers or transactions at the property’s payment systems were affected, but approximately 10,000 customers between 28 December 2013 and 20 June 2014 were at risk of identity fraud.

White Lodging Services Corporation

When: Announced 3 February

What happened: White Lodging reported that point-of-sale systems at 14 of its properties in the U.S.—mostly falling under the , Renaissance and Holiday Inn brands—had been breached between 20 March and 16 December of 2013. In most instances, F&B point-of-sale systems were affected, but in one case a hotel’s property-management system was also affected. The company launched a review with federal law enforcement officials and initiated a third-party forensic review.


HEI Hospitality

When: Announced 2 September

What happened: The data security attack targeted guest credit card transactions made at 10 HEI hotels between 25 March and 10 April. The affected hotels included both Marriott and Starwood brands in California, Michigan, Florida and others.

Westin Bonaventure Hotel and Suites in Los Angeles

When: Announced 8 March

What happened: Hackers targeted guest credit card information at the Los Angeles hotel’s four restaurants and valet services between April and December 2009. 

Wyndham Worldwide Corporation

When: Three separate breaches between April 2008 and January 2010

What happened: Wyndham hotels were hit with data security attacks three times between April 2008 and January 2010, which resulted in nearly $11 million in identity fraud, according to Reuters. The Federal Trade Commission pursued legal action against Wyndham in 2012 but both parties settled the case on 9 December 2015, with Wyndham agreeing to an FTC consent order and the company was absolved of paying any monetary damages.


Compiled by Dan Kubacki.

No Comments

Comments that include blatant advertisements or links to products or company websites will be removed to avoid instances of spam. Also, comments that include profanity, lewdness, personal attacks, solicitations or advertising, or other similarly inappropriate or offensive comments or material will be removed from the site. You are fully responsible for the content you post. The opinions expressed in comments do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Please report any violations to our editorial staff.