July 8, 2010 -- Your next hotel room might end up costing you more than you expected.
It turns out hotels have now surpassed restaurants for the top spot where your credit card data is most likely to be stolen, according to one firm that tracks such thefts.
Hackers are finding hotels and their booking centers prime targets. The reservation centers often have thousands of credit card numbers on file and one successful break can yield plenty of numbers for an illegal shopping spree.
Fraudulent charges might show up a few hours after a reservation is made, after check-out or even months later. And the problem is not limited to small hotels.
"It's certainly the top name brands," said Robert J. McCullen, chairman and CEO of Trustwave, a company that is hired by hotels and other merchants to protect their systems.
In a recent report, Trustwave said that 38 percent of all data breaches in 2009 came from hotels. Restaurants, once the leader, now account for just 13 percent of the thefts. McCullen said hotels have risen as targets in just the last 18 months.
Part of the appeal of hotels is the large number of points where credit card information is used. It's not just the front desk but the golf course, the restaurants, the spa, the gift shop and the pool bar. All of them, McCullen said, are tied into a central computer system. There are only a few vendors providing the credit card reading equipment and related software. Once the hackers figure out how one system works, McCullen said they take a "cookie cutter" approach to breaking into every hotel that has it.
For example, if the hackers can figure out the system for the Marriott in Salt Lake City, they could possibly break into the Marriott in New Orleans. Or if they crack the system Sheraton uses, they can get data from Westins too, since they are both part of the same parent company,Starwood Hotels.
The reason hotels are more vulnerable: they have a lot of workers with access to company computers.
"You have so many different employees going through the system that it allows them to either skim cards or put in malware that lets the bad guys hack into the system," McCullen said.
Nation's Credit Card Fraud Leader: Hotels
In January, Wyndham Hotels and Resorts discovered that a sophisticated hacker penetrated the computer systems of one of its data centers. By going through the centralized network connections, the hacker was then able to access and download information from several, but not all, of the hotels. The company said as many of 31 hotels were affected from Nov. 7, 2009, to Jan. 23. It was never revealed how many cardholder names and card numbers, expiration dates and other data were taken.
InterContinental Hotels Group reported in December 2009 that in September, they had detected malicious software that was capturing payment processing information during transactions at the Willard InterContinental Hotel in Washington, D.C. The total number of individuals affected was not indicated, but 428 Maryland residents were affected.
And in March, the Westin Bonaventure Hotel & Suites in Los Angeles issued a press release announcing that some type of breach had occurred at its four restaurants and at the valet parking stand. The hotel believes the theft took place between April 2009 and December 2009 but would not say how many people were affected.
McCullen said Trustwave could not provide details about any of the hacks his company tracks because many of the hotel chains are his clients.
How To Spot Hotel Credit Card Fraud
Hotels know about the severity of the problem and say they are combating it.
"We've seen it in the last couple of years," said Joseph A. McInerney, president of the American Hotel & Lodging Association. "It's a majority priority from all the hotel companies. We want to try to keep the information of our customers secure."
But not everybody is so convinced of the risk at hotels.
Linda Foley, founder of the non-profit Identity Theft Resource Center, said she sees more reports about restaurants still than hotels.
"It seems to me that restaurants are really being targeted right now," she said.
However, Foley said that her information is mostly anecdotal, based on every possible publically reported breach. And that's the problem, since there is no central database of all hacks let alone details about those that are reported, she said. Nearly half of the reported breaches don't state how many records were involved.
"What we know is probably the tip of the iceberg," Foley said. Companies might have sent out letters to people whose cards were compromised, "but nobody called the press to complain."
Foley said that the New Hampshire Attorney General's office keeps an up-to-date list of all the breach letters they get. It's the best in the nation, she said, with nobody else maintaining such a comprehensive listing.
As for Trustwave, she said, "part of their goal is to keep [the breaches] out of the public eye."
She suggested a central database that could be maintained by the Federal Trade Commission or the Secret Service, which investigates such frauds.
So what can you do as a consumer?
Not much. Credit card companies don't hold customers responsible for such charges as long as they are reported in a timely manner.
McCullen suggests getting a copy of your room bill and holding onto it for 30 days. Then, he said, check your statements carefully to ensure no fraudulent charges. It's best to do it frequently online.
Sometimes, it could take months for a charge to appear.
"The sophisticated hackers," he warned, "will be patient."