Newsroom

Twenty hotels operated by HEI Hotels & Resorts for Starwood, Marriott, Hyatt and Intercontinental were reportedly hit by a data breach exposing card payment data from tens of thousands of transactions, affirming the urgency for national data security standards for merchants, said NAFCU's Dan Berger.

"These hotel data breaches, many of which are repeat offenses, as well as the latest data breach to Oracle's point-of-sale systems, affirm the urgency with which Congress needs to pass strong national data security standards for retailers, such as the ‘Data Security Act of 2015' (H.R. 2205/S.961)," said Berger, NAFCU's president and CEO. "Cybercriminals' attacks are growing more pernicious and continue to take advantage of the vulnerabilities in retailers' payments systems to seize consumers' sensitive personal financial information."

The company on Friday said the breach hit various hotels nationwide, including locations in Florida, Texas, Vermont, Illinois, California, Virginia, Tennessee, Minnesota, Colorado, Pennsylvania and Washington, D.C. The dates of the data breach vary for each hotel hit, but range from March 2015 through June 2016.

HEI said outside experts are continuing to investigate the breach but said the malware could have affected payment card data including names, payment card account numbers, card expiration dates and verification codes.

Various Omni, Hyatt, Starwood and Hilton hotels have already been hit by a data breach within the past year. Just last month, San Francisco-based Kimpton Hotels & Restaurants chain was investigating a possible data breach.

NAFCU has repeatedly underscored the need for Congress to pass national data security standards for merchants and retailers, such as those found in the "Data Security Act" (H.R. 2205/S.961). Winning passage of national data security standards for merchants is among the association's 2016 top priorities.