Your next hotel room might end up costing you more than you expected.
It turns out hotels have now surpassed restaurants for the top spot where your credit card data is most likely to be stolen, according to one firm that tracks such thefts.
Hackers are finding hotels and their booking centers prime targets. The reservation centers often have thousands of credit card numbers on file and one successful break can yield plenty of numbers for an illegal shopping spree.
Fraudulent charges might show up a few hours after a reservation is made, after check-out or even months later. And the problem is not limited to small hotels.
"It's certainly the top name brands," said Robert J. McCullen, chairman and CEO of Trustwave, a company that is hired by hotels and other merchants to protect their systems.
In a recent report, Trustwave said that 38 percent of all data breaches in 2009 came from hotels. Restaurants, once the leader, now account for just 13 percent of the thefts. McCullen said hotels have risen as targets in just the last 18 months.
Part of the appeal of hotels is the large number of points where credit card information is used. It's not just the front desk but the golf course, the restaurants, the spa, the gift shop and the pool bar. All of them, McCullen said, are tied into a central computer system. There are only a few vendors providing the credit card reading equipment and related software. Once the hackers figure out how one system works, McCullen said they take a "cookie cutter" approach to breaking into every hotel that has it.
For example, if the hackers can figure out the system for the Marriott in Salt Lake City, they could possibly break into the Marriott in New Orleans. Or if they crack the system Sheraton uses, they can get data from Westins too, since they are both part of the same parent company,Starwood Hotels.
The reason hotels are more vulnerable: they have a lot of workers with access to company computers.
"You have so many different employees going through the system that it allows them to either skim cards or put in malware that lets the bad guys hack into the system," McCullen said.
In January, Wyndham Hotels and Resorts discovered that a sophisticated hacker penetrated the computer systems of one of its data centers. By going through the centralized network connections, the hacker was then able to access and download information from several, but not all, of the hotels. The company said as many of 31 hotels were affected from Nov. 7, 2009, to Jan. 23. It was never revealed how many cardholder names and card numbers, expiration dates and other data were taken.
InterContinental Hotels Group reported in December 2009 that in September, they had detected malicious software that was capturing payment processing information during transactions at the Willard InterContinental Hotel in Washington, D.C. The total number of individuals affected was not indicated, but 428 Maryland residents were affected.