Starwood hotels announced today that it has joined a long line of hotels that have suffered a significant data breach involving credit cards and debit cards. Just in the last year, major data breaches have occurred at The Trump Hotel Collection, Hilton Hotels and the Mandarin Oriental. The hacking involves fifty-four of its hotels including its Sheraton, Westin and W brands. According to Starwood, the data breach resulted in the theft of credit and debit card information including card numbers, the names of the card holders, security codes and expiration dates of the affected cards. The malware used to gather the data, consistent with some of the more recent hotel data breaches, was found in the payment systems at the hotels’ restaurants, gift shops, bars and other retail shops within the various hotels, but not at the front desk card processors. The hacking started in November of 2014. This type of data breach is something about which I wrote a column for USA Today a year ago in which I explained the pattern of these data breaches and why they occur. Here is a link to that column, entitled “Coming Soon: Another Major Retailer Hacked.” http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/
Here is a link to the explanation by Starwood of the data breach. http://www.starwoodhotels.com/html/HTML_Blocks/Corporate/Confidential/Letter.htm?EM=VTY_CORP_PAYMENTCARDSECURITYNOTICE
Here is a link to a list of the affected hotels so that you can determine if you stayed at one of the affected hotels since November of 2014. http://www.starwoodhotels.com/Media/PDF/Corporate/Hotel_List.pdf
As is so often the case in these types of data breaches, Starwood is offering a year of free credit monitoring to those affected by the data breach although it is certainly late to be counting on this to provide significant assistance. Here is a link to information as to how to apply for the free credit monitoring. http://www.starwoodhotels.com/Media/PDF/Corporate/Reference_Guide.pdf
The problem continues to be one of weak cybersecurity of many companies coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards. Regulations effective October 1st mandate credit card issuers and retailers to switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have not switched over and are not expected to do so for some time. If smart EMV chip cards had been used at the Starwood hotels, the information stolen in such a hacking would have been worthless, but since they still used the old fashioned magnetic strip cards, Starwood and its customers face financial problems from this data breach. Target, which learned its lesson the hard way has already switched to the new EMV chip cards as has WalMart.
Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted a year ago, continue to occur again and again. As for we, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases. In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company. They are easy to use and they will provide you with much greater security. If you used a credit card or debit card at any of the above-mentioned Starwood properties since November of 2014 you should carefully monitor your credit card account and bank account for any indication of a problem.