White Lodging has issued a letter to its guests to clear up confusion for possibly affected guests. The complete contents of the letter can be found here.
The statement contends that the company understands that the recent press release regarding the suspected data breach at some of its managed-hotels may have caused concern and inconvenience. White Lodging offered further explanation saying, “to be clear, our investigation revealed that the food and beverage outlets at 14 hotels were affected. At one of these hotels both the property management system used to process guests’ credit card data and the point of sale system at the food and beverage outlets were affected. This incident was communicated in a press release because we do not have contact information for the affected cardholders.”
In addition to offering apologies, the letter warns guests that when these type of incidents occur, some criminals seek to fraudulently obtain the personal information of affected individuals by claiming to be the business that experienced the incident. The company advises guest NOT to respond to any requests from entities requesting sensitive personal information in relation to this incident.
The hotels, hotel brands, White Lodging, AllClearID (the service provider engaged to provide one year of complimentary personal identity protection services to all affected cardholders) or anyone legitimately contacting guests on their behalf will NOT ask for other sensitive personal information with regard to this incident.
White Lodging is offering one year of complimentary personal identity theft protection services, provided by AllClearID, to those affected by this incident. For more information about how to enroll for this service please call 1-855-865-4453 or visit https://whitelodging.allclearid.com. If you are a non-U.S. resident the available services will vary.
Q: What happened?
A: On January 16, 2014, White Lodging was notified that there was a suspected breach of credit/debit card data during the period March 20 – December 16, 2013 at food and beverage outlets at the following hotels:
• Marriott Midway, Chicago, IL
• Holiday Inn Midway, Chicago, IL
• Holiday Inn Austin Northwest, Austin, TX
• Sheraton Erie Bayfront, Erie, PA
• Westin Austin at the Domain, Austin, TX
• Marriott Boulder, Boulder, CO
• Marriott Denver South, Denver, CO
• Marriott Austin South, Austin, TX
• Marriott Indianapolis Downtown, Indianapolis, IN
• Marriott Richmond Downtown, Richmond, VA
• Marriott Louisville Downtown, Louisville KY
• Renaissance Plantation, Plantation, FL
• Renaissance Broomfield Flatiron, Broomfield, CO
• Radisson Star Plaza, Merrillville, IN
At the Radisson Star Plaza in Merrillville, IN, we suspect that the point of sales system at food and beverage outlets and the property management system that manages hotel guests’ credit card information was affected.
We quickly engaged a third party forensic services provider to conduct an investigation. We also notified the U.S. Secret Service and FBI. The preliminary results of the investigation revealed malicious software and remnants of such software on a number of the point of sale terminals used at food and beverage outlets at these hotels. Because this malicious software (also referred to as malware) was detected, the credit/debit card data entered on these devices was at risk of theft.
Q: What specific information was disclosed about me?
A: The unlawfully accessed data may have included names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates.
Q: Was my spouse or other family members’ information also affected?
A: Only the information of guests who used their credit cards at the affected locations listed above have been impacted by this event.
Q: Why wasn’t this incident announced sooner?
A: We were informed of the suspected breach on January 16, 2014 and then promptly contacted law enforcement engaged a security forensic firm and commenced the investigation. The forensic investigation, research to identify the affected locations and cards, the procurement of identity theft protection services and preparation of communications was conducted as fast as we could.
Q. Who is White Lodging Services Corporation and what is their relationship to Marriott, Sheraton, Holiday Inn and Westin?
A: White Lodging is an independent hotel management company that is separate and distinct from all of the hotel brand companies. White Lodging operates hotels as a franchisee of these hotel brand companies under management agreements with the owner of the hotels.
Q: Is this incident related to the Target incident?
A: We have no indication that there is any relationship to any of the other recent incidents in the news.
Q: Has the person who accessed the information been caught?
A: Law enforcement has not notified us of any arrests; our investigation is on-going and we are fully cooperating with law enforcement and the credit card companies.
Q: I was a guest at one of the hotels during the time period disclosed but did not use my credit/debit card at food and beverage outlets. Is my credit/debit card data at risk?
A: The preliminary results of the forensic review do not indicate the presence of malicious software on the property management system used at the front desk to process room charges. Thus, your credit/debit card data is not believed to be at risk.
However, if you were a guest at the Radisson Star Plaza in Merrillville, IN property during March 20 – December 16, 2013, your credit card may be affected, assuming you paid for your stay with a credit card.
Q: Has anything been done to protect my credit/debit card from being misused?
A: Yes, the credit card companies have already sent all affected credit/debit card numbers to the banks that issued the cards so that they can increase their fraud monitoring on the card or reissue the card if they believe that is necessary. For example, if you used a credit card that was issued by Bank of America at one of the locations named in the press release during the March 20 – December 16, 2013 time period, Bank of America already knows your card may have been affected. In addition, the policies of the payment card brands such as Visa, MasterCard, American Express and Discover provide that you have zero liability for any unauthorized charges if you report them in a timely manner.
We are also offering one year of complimentary personal identity theft protection services, provided by AllClearID, to those affected by this incident.
If you desire to enroll in the AllClearID service you will be able to do so via the Internet at https://whitelodging.allclearid.com. If you do not have access to the Internet, a call center agent will be able to facilitate enrollment when you call 1-855-865-4453. Note: If you decide to enroll in the credit monitoring service you will be required to provide your Social Security number to verify your identity. For non-U.S. residents the service offering will vary.
Q: Has the investigation concluded?
A: No, the investigation is on-going and we are fully cooperating with law enforcement and the credit card companies.
Q: What has been done to prevent a reoccurrence in the future?
A: We are examining the likely root causes of this incident and are taking steps designed to prevent a reoccurrence.
Q: Should I notify the bank (or American Express for Amex cards issued directly) that issued my credit card?
A: While the issuing banks have already been notified and they are either increasing the fraud monitoring on your card or may reissue it, you may want to contact them and inquire of them any additional next steps that they suggest.
Q: Is there an expiration date to take advantage of the one year of complimentary personal identity theft protection services?
A: Yes, you must enroll by May 7, 2014.
Q: When will the personal identity theft protection services end?
A: The ending date of the services is May 7, 2015. Thus, if you enroll before May 7, 2014 you will receive more than one year of protection.
Q: What is the difference between a fraud alert or security freeze and the service AllClearID provides?
A: A fraud alert or security freeze placed through Equifax, Experian or Trans Union is a separate service from the AllClearID personal identity theft protection service.
A fraud alert is an alert that the three major credit reporting companies attach to your credit file. When you, or someone else, attempt to open a credit account, the lender should contact you by phone to verify that you want to open the new account. If you cannot be reached by phone, the credit account should not be opened.
A security freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company.
The AllClearID credit monitoring service is a service that monitors the a major credit bureau for signs of fraud or unauthorized use of your credit card accounts, and provides you with you with a notification of significant changes to your credit files.
Q: What do I do if my credit accounts have been tampered with or if new accounts have been opened fraudulently?
A: If you observe suspicious activity, contact your creditors immediately. Ask to speak to someone in the security or fraud department, and follow up in writing. If you discover a changed billing address on an existing credit card account, close the account. When you open a new account, ask that a password be used before any inquiries or changes can be made on the account. When selecting a password or Personal Identification Number (PIN), avoid using easily available information like your birth date or name.
RELATED CONTENT: Suspected POS Data Breach Impacts 14 Properties