HEI Hotels and Resorts -- Notice of Data Breach
HEI Hotels & Resorts (“HEI”) recently became aware of a security incident possibly affecting the personal information of some customers who made payment card purchases at point-of-sale terminals, such as food and beverage outlets, at certain HEI managed properties. As a precaution, we are providing this notice, on behalf of our hotel property owners, to make potentially affected customers aware of the incident and call their attention to steps they can take to help protect themselves. We take the security of personal information very seriously, and sincerely apologize for any inconvenience or concern this incident may cause.
HEI was recently alerted to a potential security incident by its card processor. Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems at certain properties designed to capture payment card information as it was routed through these systems.
What Information Was Involved
We believe the malware could have affected payment card data—including name, payment card account number, card expiration date, and verification code—of customers who used a payment card at point-of-sale terminals at the affected properties and during the period of time identified below:
What We Are Doing
We are treating this matter as a top priority, and took steps to address and contain this incident promptly after it was discovered, including engaging outside data forensic experts to assist us in investigating and re mediating the situation and promptly transitioning payment card processing to a stand-alone system that is completely separated from the rest of our network. In addition, we have disabled the malware and are in the process of re configuring various components of our network and payment systems to enhance the security of these systems. We have contacted law enforcement and will continue to cooperate with their investigation. We are also coordinating with the banks and payment card companies. While we are continuing to review and enhance our security measures, the incident has now been contained and customers can safely use payment cards at all HEI properties.
What You Can Do
We want to make potentially affected customers aware of steps they can take to guard against fraud or identify theft. We recommend that customers review credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed. We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward. If they see anything they do not understand or that looks suspicious, or if they suspect that any fraudulent transactions have taken place, customers should immediately notify the issuer of the credit or debit card. In instances of payment card fraud, it is important to note that federal laws and cardholder policies may limit cardholders’ responsibility for fraudulent activity; we therefore recommend reporting any suspicious activity in a timely fashion to the bank that issued the card.
We are also providing information and resources to help customers protect their identities, including an “Information About Identity Theft Protection” reference guide, available below, which describes additional steps customers may take to help protect themselves and recommendations from the Federal Trade Commission regarding identity theft protection.
For More Information
For more information about this incident and ways customers can protect themselves, contact us toll-free at 888-849-1113 between 9:00 a.m. and 9:00 p.m. Eastern time, Monday through Friday. Again, we regret any concern this incident may cause.
Information about Identity Theft Protection
We recommend that you regularly review statements from your accounts and periodically obtain your credit report from one or more of the national credit reporting companies. You may obtain a free copy of your credit report online at www.annualcreditreport.com, by calling toll-free 1-877-322-8228, or by mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281. You may also purchase a copy of your credit report by contacting one or more of the three national credit reporting agencies listed at the bottom of this page.
You should remain vigilant with respect to reviewing your account statements and credit reports, and you should promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities, including local law enforcement, your state’s attorney general, and/or the Federal Trade Commission (“FTC”). You may contact the FTC or your state’s regulatory authority to obtain additional information about avoiding and protection against identity theft: Federal Trade Commission, Consumer Response Center 600 Pennsylvania Avenue, NW, Washington, DC 20580, 1-877-IDTHEFT (438-4338), www.ftc.gov/idtheft.
For residents of Maryland: You may also obtain information about preventing and avoiding identity theft from the Maryland Office of the Attorney General: Maryland Office of the Attorney General, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, 1-888-743-0023, www.oag.state.md.us.
For residents of North Carolina: You may also obtain information about preventing and avoiding identity theft from North Carolina Attorney General’s Office: North Carolina Attorney General’s Office, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, 1-877-5-NO-SCAM, www.ncdoj.gov.
For residents of Rhode IslandYou may also obtain information about preventing and avoiding identity theft from the Rhode Island Office of the Attorney General: Rhode Island Office of the Attorney General, Consumer Protection Unit, 150 South Main Street, Providence, RI 02903, 401-274-4400, http://www.riag.ri.gov.
Fraud Alerts: There are also two types of fraud alerts that you can place on your credit report to put your creditors on notice that you may be a victim of fraud: an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for at least 90 days. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years. You can place a fraud alert on your credit report by contacting any of the three national credit reporting agencies at the addresses or toll-free numbers listed at the bottom of this page.
Credit Freezes: You may have the right to put a credit freeze, also known as a security freeze, on your credit file, so that no new credit can be opened in your name without the use of a PIN number that is issued to you when you initiate a freeze. A credit freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. If you place a credit freeze, potential creditors and other third parties will not be able to get access to your credit report unless you temporarily lift the freeze. Therefore, using a credit freeze may delay your ability to obtain credit. In addition, you may incur fees to place, lift and/or remove a credit freeze. Credit freeze laws vary from state to state. The cost of placing, temporarily lifting, and removing a credit freeze also varies by state, generally $5 to $20 per action at each credit reporting company. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company. Since the instructions for how to establish a credit freeze differ from state to state, please contact the three major credit reporting companies as specified below to find out more information.
Additional Information for Massachusetts Residents: Massachusetts law gives you the right to place a security freeze on your consumer reports. The credit reporting company may charge a reasonable fee of up to $5 to place a freeze or lift or remove a freeze, unless you are a victim of identity theft or the spouse of a victim of identity theft, and have submitted a valid police report relating to the identity theft to the credit reporting company. (By law, you have a right to obtain a police report relating to this incident, and if you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.) You may request that a freeze be placed on your credit report by sending a request to a credit reporting agency by certified mail, overnight mail or regular stamped mail to the address below. The following information should be included when requesting a security freeze (documentation for you and your spouse must be submitted when freezing a spouse’s credit report): full name, with middle initial and any suffixes; Social Security number, date of birth (month, day and year); current address and previous addresses for the past five (5) years; and applicable fee (if any) or incident report or complaint with a law enforcement agency or the Department of Motor Vehicles. The request should also include a copy of a government-issued identification card, such as a driver’s license, state or military ID card, and a copy of a utility bill, bank or insurance statement. Each copy should be legible, display your name and current mailing address, and the date of issue (statement dates must be recent).
You can obtain more information about fraud alerts and credit freezes by contacting the FTC or one of the national credit reporting agencies listed below.
National Credit Reporting Agencies
P.O. Box 740241
Atlanta, GA 30374
Fraud Alerts: P.O. Box 740256, Atlanta, GA 30374
Credit Freezes: P.O. Box 105788, Atlanta
P.O. Box 2002
Allen, TX 75013
Fraud Alerts and Security Freezes: P.O. Box 9554, Allen, TX 75013
P.O. Box 1000
Chester, PA 19016
Fraud Alerts and Security Freezes: P.O. Box 2000, Chester, PA 19022 / 888-909-8872