Hilton is the Latest Hotel Chain to Confirm a Data Breach

by
Robert Hackett

@FortuneMagazine

November 25, 2015, 11:34 AM EDT

Hilton Hotels said on Tuesday it had been the victim of a security breach.

The hotel chain’s notice comes two months after the company began investigating whether hackers had attacked its properties. The news also follows initial reporting by Brian Krebs, an independent cybersecurity journalist, who caught wind that payment card terminals at the company’s restaurants, bars, and gift shops may have been compromised.

Hilton HLT confirmed the cyber intrusion in a recent statement, saying it had “identified and taken action to eradicate unauthorized malware that targeted payment card information in some point-of-sale systems.” The company, based in McLean, Va., said it “immediately launched an investigation” and “further strengthened” its systems.

Hilton did not reveal how many properties might be affected, nor did it confirm how many customers’ credit card or debit card information might have been stolen. “We cannot address the actual number of cards impacted,” the company said in an FAQ about the incident, adding that the potentially stolen information includes “cardholder names, payment card numbers, security codes and expiration dates, but no addresses, personal identification numbers (PINs) or Hilton HHonors account information.”

MORE: “Retailers Scrambling Against Latest Credit Card-Stealing Malware”

The hotel franchise operates more than 4,500 properties across 97 countries and territories, and its holdings include the brands Doubletree, Embassy Suites, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts.

Hilton recommended that its customers check their banking records in the event that they made a purchase at one of the company’s hotels during a 17-week period spanning between Nov. 18 to Dec. 5, 2014, or between April 21 to July 27, 2015. “If you notice any irregular activity on your cards, please contact your financial institution directly for additional support,” the company said.

The company has also offered one year of free credit monitoring to potentially affected customers.

Hilton is the latest victim of a security breach in the hospitality industry. Starwood—the Westin, Sheraton, and W Hotels-owning hotel chain that Marriott MAR recently agreed to buy for about $12 billion—said just days ago that it had suffered a months-long data breach at 54 locations. Trump Hotels also recently confirmed that it had been hit with a year-long payment systems breach. Other recent victims include Mandarin Oriental Hotel Group and White Lodging.

For more on hotels, watch the video below:

Follow Robert Hackett on Twitter at @rhhackett. Read his cybersecurity, technology, and business coverage here. And subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology, where he writes a weekly column.

Yay! Human cashiers prevail over automation at some CVS stores

by
Robert Hackett

@FortuneMagazine

October 20, 2015, 6:48 PM EDT

CVS Health, which last year stopped selling cigarettes in its drugstores, plans to eliminate what some considered to be another scourge from some of its locations: self-service checkout registers.

Two CVS CVS stores in west suburban Boston, now have empty space where the self-pay kiosks once stood. Personnel at those stores said the registers disappeared two or three weeks ago as part of a chain-wide decision, a characterization that a CVS corporate spokeswoman disputed.

She confirmed that “some stores have reverted back to staffed check-out registers based on a normal review of store locations,” but she added that those decisions were made on a case-by case basis. “Assisted” self-check out stations will remain at some stores, she noted. That word “assisted” there is key because in my experience nearly all CVS self-check stations needed to have a CVS employee hovering nearby.

Retailers are experimenting with new payment systems as a way to cut payroll costs, hopefully without angering customers. But the stores risk alienating shoppers if their self-pay kiosks fail to work properly or people resent serving as part-time cashiers.

At two CVS stores in Watertown, Mass., and one in downtown Boston where I shop, the self-service registers never seemed to work right and store personnel often had to intervene — which completely defeats the purpose. One recurring problem was that scanners either didn’t read or mis-read coupons or didn’t register the correct discounts. And then there were the nagging reminders to put your purchases in a bag, even if you didn’t want a bag. All in all, annoying.

Anecdotally speaking, self-pay stations at the local Home Depot and Shaw’s Supermarkets, seemed to do much better. But there is a growing sentiment that shoppers visiting a brick-and-mortar store may prefer dealing with actual human beings rather than a kiosk when checking out.

Or at least some retailers feel that to be the case. Two years ago, for example, Costco axed its customer check-out stations. An executive said that human check out workers simply do a better job.

Automated alternatives for payment also include services like Google GOOG Wallet and Apple Pay that rely on Near Field Communications (NFC) technology which can convert iPhone and Apple AAPL Watches into payment tools loaded with credit card information.

Customers hold their phones near a reader in the store to make their payment. Duane Reade, Best Buy, Bloomingdale’s are all aboard with Apple Pay. And apps from Starbucks and other chains also support the Apple system. But CVS and rival RiteAid pulled support for that option however. (Rite Aid, at least, has since reconsidered.)

It will now be interesting to see if CVS does the same.

Follow Barb Darrow on Twitter at @gigabarb. Read her Fortune coverage at fortune.com/barb-darrow or subscribe via her RSS feed.

And please subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.

Want the Full Story?