Mandarin Oriental probes credit card breach

File photo.

File photo.  (REUTERS/Charles Platiau)

The Mandarin Oriental Hotel Group is the latest organization to fall victim to cyberattackers, confirming that credit card systems at some of its hotels in the U.S. and Europe have been breached.

“The Group has identified and removed the malware and is coordinating with credit card agencies, law enforcement authorities and forensic specialists to ensure that all necessary steps are taken to fully protect our guests and our systems across our portfolio,” it said, in a statement released on Thursday. “Unfortunately incidents of this nature are increasingly becoming an industry-wide concern and we have therefore also alerted our technology peers in the hospitality industry.”

The breach was first reported by cybersecurity news website KrebsOnSecurity on Wednesday.

The upscale hotel chain said that it worked with forensic experts to remove the malware, which affected systems at an “isolated number” of hotels. The malware, it added, was undetectable by all anti-viral systems.

“Guests can be confident that security protocols are being thoroughly tested at all hotels to protect guest information and prevent a recurrence of such an attack,” it said.

However, at this stage, scant details of the breach have been released.

“We are currently unable to confirm specific details because the forensic investigation is still underway,” said the hotel chain. “We will continue to provide updates as they become available.”

Experts told that the breach once again highlights the vulnerability of  corporate systems.

"With news of yet another major data breach, we are reminded again that many cybersecurity systems are not sufficient to prevent the leak of sensitive customer information,” said Paul Martini, CEO of cyber security specialist iboss Network Security, in a statement. “Incidents of this nature are becoming increasingly common and many important computer systems are vulnerable to modern, sophisticated threats aimed at stealing data. Organizations must invest in post- infection software that can quickly identify these security breakdowns to prevent valuable information from being stolen."

Ulf Mattsson, CTO of data security company Protegrity told that compliance with Payment Card Industry (PCI) standard for handling credit cards does not eradicate the risk of a data breach.

PCI and privacy guidelines are a baseline of acceptable security, he said. "This is no time for corporate security officers to tell themselves, 'My company is PCI compliant. We haven’t had any breaches. We should be OK.' What they should really be asking themselves is, 'Are we really good at protecting our most critical data or were we just lucky?” he explained. What else can we do to make sure criminals don’t steal our sensitive data, not to mention our reputation, our customers’ loyalty, our employees’ job satisfaction or even our profits?'"

The Mandarin Oriental breach is the latest in a string of high-profile cyberattacks. Last month, for example, health insurer Anthem said that a database containing personal information of approximately 80 million of its customers and employees had been hacked. Previous victims of hackers have included retailers like Target and Home Depot, banks like J.P. Morgan & Chase and entertainment conglomerate Sony Pictures. 

Mandarin Oriental operates hotels across the world including Paris, Shanghai, Hong Kong, London, New York, Miami, San Francisco, Prague, Boston, Las Vegas, Macau and Barcelona.

Follow James Rogers on Twitter @jamesjrogers

The Associated Press contributed to this report.