Starwood Hotels & Resorts Worldwide Inc. is the latest known hotel target of cyber attackers. The company on Friday announced that hackers had injected malware into point of sale systems at some of its hotels in North America.

That malware ultimately made it possible for unauthorized parties to tap into the payment card data Relevant Products/Services of some hotel guests. Starwood, which operates brands including Four Points by Sheraton, Aloft, Element, and Westin, now joins the Trump Hotel Collection and the Hilton chain of hotels on the list of hotel data breaches.

“Protecting our customers’ information Relevant Products/Services is critically important to Starwood and we take this issue extremely seriously,” said Sergio Rivera, president of Starwood in the Americas, in a statement. “Quickly after we became aware of the possible issue, we took prompt action to determine the facts.”

What Information Leaked?

As soon as it discovered the breach, Starwood hired outside forensics experts to investigate the depth and breadth of the attack Relevant Products/Services. The result: investigators discovered malware installed in the point of sale systems of some of its restaurants, gift shops and other systems. The company said, at this time it doesn’t appear Starwood’s guest reservation or preferred guest membership systems were breached.

Attackers designed the malware to collect payment card information. That information spans credit and debit card numbers, security codes, expiration dates and cardholders' names. However, there's no evidence that customer Relevant Products/Services information, such as PINs, phone numbers and addresses, were impacted, according to the company's initial report. Starwood said it has eradicated the malware and taken steps to secure its systems.

“We have been working closely with law enforcement authorities and have been coordinating our efforts with the payment card organizations,” Rivera said. “We want to assure our customers that we have implemented additional security measures to help prevent this type of crime from reoccurring.”

A Key Target for Criminals

We caught up with Tim Erlin, director of IT security and risk strategy at advanced threat detection firm Tripwire, to get his reaction to the breach. He told us he recommends that travelers check the list and if they stayed at one of the locations, they should monitor their statements.

“Starwood certainly isn’t the first company to be affected by point of sale malware. The path from discovery to recovery is well-worn at this point,” Erlin said. “In some cases this malware has been present for more than a year.”

While the incident may seem like a point in time, it’s really a lengthy campaign of data theft, Erlin said, adding that he's surprised that fraudulent activity from stolen card data wasn't discovered sooner.

“The point of sale system remains a key target for cybercriminals after a sustained revenue stream,” he said. “If you can siphon data off for months, you can ensure you have fresh product to sell on the black market.”

Not Closely Monitored

Any organization that runs a point of sale system should examine how it's protected, according to Erlin. And using anti-virus software isn’t enough, consumers have to monitor these systems continuously for changes that may be suspicious and investigate the changes, he added.

Travis Smith, a security analyst at Tripwire, told us point of sale devices are still primary targets for malicious actors because the value of data passing between them is enormous.

“Point of sale device[s] typically see less change than other IT assets, but unfortunately, they are also not monitored as closely,” Smith said. “All kinds of merchants can learn from the breaches we’ve seen over the past few years. Everyone processing credit card data should take proactive steps to harden POS devices and monitor them closely in order to defend against these kinds of attacks. This problem is going to continue for the foreseeable future.”