HEI Hotels & Resorts suffers POS terminal breach

Hotel and resorts chain HEI has announced a data breach affecting customers’ payment card information.

The breach was announced via a notice on HEI’s website: “Unfortunately, like many other organizations, we recently became aware that several of our properties may have been the victim of a security incident that could have affected the payment card information of certain individuals who used payment cards at point-of-sale terminals, such as food and beverage outlets, at some of our properties”.

The notice then links to a list of 20 affected locations, including franchised names such as Marriott and Hyatt.

Malware on the POS (point-of-sale) systems was discovered and removed on June 21 after a card processing company alerted HEI of suspicious activity. The shocking part, however, is that some incidents date as far back as March 2015.

Possibly affected details include:

  • Names
  • Payment card numbers
  • Expiration dates
  • Verification codes

Alan Calder, the founder and executive chairman of IT Governance, had a few things to say about the breach: “If you’re a hotel, you need to comply with the PCI DSS – this is simply the latest in repeated successful attacks on hotels and hotel chains. Organizations must get a real PCI expert to come and do a full security assessment against the requirements of the Standard to identify any shortfalls so that they can remediate them as a matter of urgency. Save yourself the embarrassment and reputational damage, the cost of restitution and, of course, the fines from the PCI SSC.”

To help you achieve and maintain compliance with the PCI DSS, we have a number of resources:

  • Information: Read guidance from practicing experts on the PCI DSS; perfect for those new to the subject or looking for more information on implementing it in their organization. Find out more >>
  • Pre-written, PCI-compliant documentation: Up-to-date with the PCI DSS v3.2, the PCI DSS Documentation Toolkit contains easy-to-use, fully customizable templates to help you produce compliant documentation. Find out more >>
  • Penetration Testing: Identify, fix, and prevent vulnerabilities within your systems with CREST-accredited testing services from IT Governance. Find out more >>


  1. Frank Emery August 17, 2016
  2. Gaf August 16, 2016