Hotel and resorts chain HEI has announced a data breach affecting customers’ payment card information.

The breach was announced via a notice on HEI’s website: “Unfortunately, like many other organizations, we recently became aware that several of our properties may have been the victim of a security incident that could have affected the payment card information of certain individuals who used payment cards at point-of-sale terminals, such as food and beverage outlets, at some of our properties”.

The notice then links to a list of 20 affected locations, including franchised names such as Marriott and Hyatt.

Malware on the POS (point-of-sale) systems was discovered and removed on June 21 after a card processing company alerted HEI of suspicious activity. The shocking part, however, is that some incidents date as far back as March 2015.

Possibly affected details include:

Names

Payment card numbers

Expiration dates

Verification codes

Alan Calder, the founder and executive chairman of IT Governance, had a few things to say about the breach: “If you’re a hotel, you need to comply with the PCI DSS – this is simply the latest in repeated successful attacks on hotels and hotel chains. Organizations must get a real PCI expert to come and do a full security assessment against the requirements of the Standard to identify any shortfalls so that they can remediate them as a matter of urgency. Save yourself the embarrassment and reputational damage, the cost of restitution and, of course, the fines from the PCI SSC.”

To help you achieve and maintain compliance with the PCI DSS, we have a number of resources: