Editor’s Note: This timeline has been updated to include data breaches confirmed in 2019 and 2020 by Marriott International, Choice Hotels International and more.
GLOBAL REPORT—Hackers continue to target the hospitality industry with sophisticated attacks on secured data. More than a dozen data breaches have been reported by hotels since 2010, affecting everything from major multinational corporations to single properties.
Here is a roundup of the widely reported data security attacks on the hotel industry since 2010. This list will be updated as more breaches are confirmed.
2020
Marriott International
When: Announced 31 March
What happened: Marriott International announced it had discovered at the end of February 2020 that guest information “may have been accessed using the login credentials of two employees at a franchise property” starting in mid-January 2020. In a news release, Marriott confirmed that information of up to 5.2 million guests could be involved, including contact information and loyalty account information.
MGM Resorts International
When: Confirmed 19 February
What happened: MGM Resorts International acknowledged it had suffered a data breach in 2019 that affected 10.6 million guests, according to monitoring firm Under the Breach. The personal data compromised includes full names, home addresses, phone numbers, email addresses and dates of birth for tourists, business travelers, tech CEOs, reporters, government officials and more.
MGM Resorts’ security team confirmed the data posted online was hacked from a cloud server containing “a limited amount of information for certain previous guests.” The company said it was confident the breach did not include financial, payment card or password data.
2019
Choice Hotels International
When: Announced 29 November
What happened: Choice Hotels International notified guests of “inadvertent disclosure of certain guest information” to third-party business partners as a result of customers receiving a browser error. Choice described the issue as the Safari browser repopulating information input into reservation fields once the reservation page reloaded. That guest information included name, email address, credit card number and credit card expiration date. Overall, this issue occurred approximately 88,000 times from June 2015 through 12 November 2019.
According to a company news release on the inadvertent disclosure: “As soon as Choice identified what caused this issue, the company made changes to its website to override how Safari responds after a crash. Choice is also contacting the third-party companies it works with to ask them to delete any data they may inadvertently have.”
When: Confirmed 15 August
What happened: The personal data of approximately 700,000 guests of Choice Hotels International was exposed to hackers over an unsecured database, which was first reported by ConsumerAffairs and confirmed in a statement by Choice.
According to Choice’s statement, the breach of records “did not contain payment, password or reservation information,” but did include “some guest contact information, including names, addresses, phone numbers and/or email addresses.”
The breach originated on a vendor’s server, which was hosting the data without authorization “to test a security offering,” according to Choice. “None of our servers were accessed,” the company stated.
Drury Hotels
When: Announced 24 May
What happened: Drury Hotels notified customers that transaction records from third-party online booking sites were accessed between 29 December 2017 and 13 March 2019. The information obtained included name, and payment card number, expiration date and verification code. Some records included addresses and email addresses, but reservation dates were not involved. Drury Hotels confirmed that the breach did not affect direct bookings made on its website or mobile platform.
2018
Marriott International
When: Announced 30 November
What happened: Marriott officials issued a news release stating it received an alert on 19 November that hackers had attempted to access its Starwood Hotels & Resorts Worldwide guest reservation database on 8 September. Further investigation revealed unauthorized access to the system as far back as 2014, a year before Marriott announced its intentions to acquire Starwood.
Marriott estimates approximately 500 million guests who made a reservation at a Starwood property since 2014 might have had their information at risk, including 327 million guests whose data includes “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.” Marriott also confirmed some compromised guest data includes payment card numbers and expiration dates.
Radisson Hotel Group
When: Announced 2 November
What happened: Radisson identified a data breach in its Radisson Rewards database, which affected “a small percentage of our Radisson Rewards members,” according to a news release issued by the company.
According to Radisson’s security investigation, no payment card or password information was compromised as part of the breach, which was “restricted to member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flyer numbers on file.”
Huazhu Hotels Group
When: Reported 28 August
What happened: Reuters was one of several media outlets to report Chinese police were investigating a possible data breach at Huazhu Hotels Group after being alerted to the leak through social media. Technode reports the leak affected 130 million customers. The Straits Times, citing China’s state news agency Xinhua, reported more than 500 million pieces of guest-related information were compromised across 13 Huazhu hotel brands, including name, cellphone number, login credentials, addresses, date of birth, credit card numbers and room numbers. No timeframe of the breach was reported.
Huazhu issued two news releases regarding the security incident in September. The first reassured its commitment to consumer protection and privacy, while the second gave additional details on the progress of the police investigation, including the arrest of suspects linked to the hack and whose attempted sale of consumer data “was not successful.”
2017
Hilton
On 1 November, BBC News reported Hilton was fined $700,000 for mishandling data breaches in 2014 and 2015. The company discovered the first breach in February 2015 and the second in July 2015, but first went public with the breaches in November 2015. U.S. federal investigators said Hilton “had taken too long to warn customers and had lacked adequate security measures.”
Hyatt Hotels Corporation
When: Announced 12 October
What happened: According to a report from Reuters, Hyatt discovered a data breach into guest payment card information at 41 corporate-managed properties across 11 countries. The breach exposed the properties between 18 March and 2 July. Of the affected hotels, 18 were in China. This was Hyatt’s first major breach since December 2015.
Hyatt Centric The Loop Chicago
When: Announced 4 August
What happened: Integrated Clark Monroe and Interstate Management Company, the owner and management company, respectively, of the Hyatt Centric The Loop Chicago in Chicago, notified guests it had removed “suspicious software from the front-desk computer system” that possibly targeted and exposed payment card information used by guests during check-in at the property between 27 September 2016 and 28 April 2017. Both companies confirmed in a news release that the threat was limited to the property and did not reach Hyatt’s or Interstate’s systems.
Galt House Hotel
When: Announced 26 July
What happened: The Louisville, Kentucky property learned on 26 June that malware had been installed on its credit card readers that targeted cardholder names, account numbers, expiration dates and verification codes. The hotel confirmed in a news release that guests who used their cards on-property between 21 December 2016 and 11 April 2017 might have been at risk.
Sabre Hospitality Solutions
When: Announced starting 6 July
What happened: Multiple hotel companies, including Hard Rock Hotels & Casinos, Four Seasons Hotels and Resorts, Trump Hotels, Loews Hotels, Kimpton Hotels & Restaurants, RLH Corporation and Club Quarter Hotels reported a data breach via a third-party reservations system provided by Sabre Hospitality Solutions. Sabre notified the companies in June of the breach, which granted unauthorized access to credit card information and some reservation information between August 2016 and March 2017. The Roosevelt Hotel in New York City later reported, on 14 August, that it also had been affected by the Sabre breach.
Hard Rock reported 11 properties in the U.S., Mexico and Caribbean regions were affected by the breach. Trump Hotels reported 14 properties in the U.S., United Kingdom, Ireland, Canada and South America were affected by the breach. Loews Hotels notified guests that 21 properties in the U.S. and Canada were affected by the data breach.
Four Seasons did not provide a list of properties affected but specified in a news release that “reservations made on Fourseasons.com, with Four Seasons’ Worldwide Reservations Office, or made directly with any of Four Seasons’ 105 hotels or resorts were not compromised by this incident.”
RLHC confirmed the Sabre breach potentially affected reservations made at eight of the company’s brands, including: Americas Best Value Inn, Canadas Best Value Inn, Jameson, Lexington, Signature Inn, Country Hearth, 3 Palms and Americas Best Inns & Suites. Guests who booked with its other brands—Hotel RL, Red Lion Hotels, Red Lion Inn & Suites, Settle Inn Extended Stay and GuestHouse—were not at risk from the breach, according to the company.
Sabre Hospitality Solutions
When: Announced starting 6 July
What happened: Multiple hotel companies, including Hard Rock Hotels & Casinos, Four Seasons Hotels and Resorts, Trump Hotels and Loews Hotels, reported a data breach via a third-party reservations system provided by Sabre Hospitality Solutions. Sabre notified the companies in June of the breach, which granted unauthorized access to credit card information and some reservation information between August 2016 and March 2017.
Hard Rock reported 11 properties in the U.S., Mexico and Caribbean regions were affected by the breach. Trump Hotels reported 14 properties in the U.S., United Kingdom, Ireland, Canada and South America were affected by the breach. Loews Hotels notified guests that 21 properties in the U.S. and Canada were affected by the data breach.
Four Seasons did not provide a list of properties affected but specified in a news release that “reservations made on Fourseasons.com, with Four Seasons’ Worldwide Reservations Office, or made directly with any of Four Seasons’ 105 hotels or resorts were not compromised by this incident.”
InterContinental Hotels Group
When: First announced 3 February, updated in April
What happened: IHG’s Americas division confirmed food-and-beverage outlets at 12 U.S. hotels were hit by a data breach between 1 August and 20 December 2016, according to a news release. Company officials said malware was installed on the servers of payment card processers of restaurants at IHG-managed hotels in the U.S. and Canada.
Then, in April, data security blog KrebsonSecurity reported the breadth of IHG’s credit card breach had extended from 12 properties to more than 1,000 hotels in the U.S. and Puerto Rico. “According to a statement released by IHG, the investigation ‘identified signs of the operation of malware designed to access payment card data from cards used on-site at front desks at certain IHG-branded franchise locations between 29 September 2016 and 29 December 2016,” the news site reported.
The InterContinental Toronto Yorkville was one of the 12 IHG-managed properties affected by a data breach that was announced 3 February. Guests who used credit cards at F&B outlets at InterContinental Toronto Yorkville between 1 August and 28 November may be at risk. (Photo: InterContinental Hotels Group)
2016
Hutton Hotel
When: Announced 5 September
What happened: The Nashville hotel notified customers of a data breach that could have affected guests who booked a stay at the property between 19 September 2012 and 16 April 2015. Point-of-sales systems at the Hutton were also targeted for a majority of that time period and also between 12 August 2015 and 10 June 2016.
Noble House Hotels & Resorts
When: Announced 2 September
What happened: The Kirkland, Washington-based hotel company initiated an investigation that found malware at nine U.S. properties that put guest credit card data at risk between 25 April and 3 August 2016. This data breach was the second in two years reported by Noble House; the company previously notified customers of a separate attack on 13 November 2015.
Millennium Hotels & Resorts
When: Announced 26 August
What happened: Millennium’s North America office based in Boulder, Colorado, notified customers that 14 U.S. hotels in the company’s portfolio were hit with a data security attack between early March and mid-June 2016. Hackers targeted F&B point-of-sales systems but did not infiltrate Millennium’s property management or booking systems, according to a news release.
Kimpton Hotels & Restaurants
When: Announced 26 July
What happened: After being contacted by data security blog KrebsonSecurity in response to rumors of a potential breach, Kimpton officials confirmed the company had been targeted by hackers by releasing a statement on its website. At the end of August, Kimpton relayed more information about the attack, which reportedly occurred between 16 February and 7 July 2016. Hackers reportedly used malware to scrape information from guest credit cards.
Omni Hotels & Resorts
When: Announced 8 July
What happened: The Dallas-based hotel company discovered on 30 May that a malware attack had targeted credit card information at point-of-sales systems at various Omni properties between 23 December 2015 and 14 June 2016, according to a letter to guests posted on the company’s website. The Dallas Morning News reported Omni officials confirmed “more than 50,000 customer credit and debit cards” at 49 properties were affected by the breach.
2016
Hard Rock Hotel & Casino Las Vegas
When: Announced 5 July
What happened: The Las Vegas resort discovered a breach in its payment card system on 13 May after investigating reports of fraudulent activity with payment cards used at the property, according to a company news release.
Card-scraping malware that targeted cardholder names, card numbers, expiration dates and verification codes was found at the Hard Rock’s restaurant and retail outlet payment systems. Guests who stayed at the resort between 27 October 2015 and 21 March 2016 could have been affected.
Trump Hotel Collection
When: Announced 4 April
What happened: According to technology security blog KrebsonSecurity, unnamed sources identified “a pattern of fraud on customer credit cards, which suggests hackers have breached credit card systems at some—if not all—of the Trump Hotel Collection properties.” Dates of the breach and properties affected have not yet been specified.
Trump officials released a statement to HNN attributed to Eric Trump, EVP of development and acquisitions for The Trump Organization, who said the company is investigating the breach with law enforcement and is “committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”
Rosen Hotels & Resorts
When: Announced 4 March
What happened: According to a news release from Orlando, Florida-based Rosen Hotels & Resorts, the company was told on 3 February that guests who had stayed at Rosen properties were notified of unauthorized credit card charges. The breach may have affected all company properties between 2 September 2014 and 18 February 2016, according to the release. The company has seven Florida hotels in its portfolio, including six in Orlando.
2015
Hyatt Hotels Corporation
When: Announced 23 December
What happened: Hyatt announced a data breach that occurred on 30 November 2015, but few details were released at the time. On 15 January 2016, Hyatt officials confirmed hackers targeted payment card data from cards used onsite at 250 Hyatt locations, primarily restaurants, between 13 August 2015 and 8 December 2015.
The Hyatt Regency Buffalo/Hotel and Conference Center in Buffalo, New York, was one of the 250 Hyatt properties hit during a data breach between 13 August 2015 and 8 December 2015. (Photo: Hyatt Hotels Corporation)
Hilton
When: Announced 24 November
What happened: According to a letter posted on Hilton’s website and written by EVP of global brands Jim Holthouser, a data security attack affected payment systems at Hilton properties from 18 November to 5 December 2014 and 21 April to 27 July 2015. The company released a data breach FAQ but did not specify how many guests were affected. Hilton officials did not specify which properties that were targeted.
Starwood Hotels & Resorts Worldwide
When: Announced 20 November
What happened: According to a company news release, point-of-sale systems at more than 70 Starwood properties in North America were infected with malware. The affected dates varied by properties, but all told, the attack on the company occurred between 7 November 2014 and 30 June 2015. Officials said guest reservation and loyalty systems were not affected in the attack.
Noble House Hotels and Resorts
When: Announced 13 November
What happened: The breach affected six properties in Florida, California, Colorado and Washington over different time periods, starting 29 December 2014 through 11 August 2015 according to a Noble news release. Malware installed on payment systems at the affected properties downloaded guest information from the magnetic strip on credit cards.
Guests who stayed at the Mountain Lodge Telluride in Telluride, Colorado, between 29 December 2014 and 27 May 2015 were at risk of credit card fraud as Noble House Hotels and Resorts experienced a data breach at six properties between December 2014 and August 2015. (Photo: Mountain Lodge Telluride)
Trump Hotel Collection
When: Announced 5 October
What happened: Hackers targeted guest credit card information at seven Trump hotels between 19 May 2014 and 2 June 2015, according to the New York-based company. The affected properties included two hotels in New York, along with properties in Miami, Chicago, Hawaii, Las Vegas and Toronto. Trump officials said there was no evidence any guest information was removed from their data systems, but all news regarding the incident was released as a precaution.
Mandarin Oriental Hotel Group
When: Announced 5 March
What happened: Mandarin’s credit card system was compromised by malware. Ten properties across the globe were affected between 18 June 2014 and 12 March 2015. After first confirming the breach in March, the company issued a news release several months later that claimed there was no evidence of identity fraud among affected guests.
White Lodging Services Corporation
When: Announced 5 February, more details released 8 April
What happened: The data breach affected point-of-sales systems at food-and-beverage outlets at 10 White Lodging properties between 3 July 2014 and 6 February 2015. Nine of the 10 affected properties were Marriott brands. This was White Lodging’s second data breach since the beginning of 2014.
The Louisville Marriott Downtown was one of 10 White Lodging Service Corporation properties affected by a data security breach between 3 July 2014 and 6 February 2015. (Photo: Louisville Marriott Downtown)
2014
Houstonian Hotel Club & Spa
When: First reported 8 July
What happened: According The Houston Chronicle, it was not known how many customers or transactions at the property’s payment systems were affected, but approximately 10,000 customers between 28 December 2013 and 20 June 2014 were at risk of identity fraud.
White Lodging Services Corporation
When: Announced 3 February
What happened: White Lodging reported that point-of-sale systems at 14 of its properties in the U.S.—mostly falling under the , Renaissance and Holiday Inn brands—had been breached between 20 March and 16 December of 2013. In most instances, F&B point-of-sale systems were affected, but in one case a hotel’s property-management system was also affected. The company launched a review with federal law enforcement officials and initiated a third-party forensic review.
2010
HEI Hospitality
When: Announced 2 September
What happened: The data security attack targeted guest credit card transactions made at 10 HEI hotels between 25 March and 10 April. The affected hotels included both Marriott and Starwood brands in California, Michigan, Florida and others.
Westin Bonaventure Hotel and Suites in Los Angeles
When: Announced 8 March
What happened: Hackers targeted guest credit card information at the Los Angeles hotel’s four restaurants and valet services between April and December 2009.
Wyndham Worldwide Corporation
When: Three separate breaches between April 2008 and January 2010
What happened: Wyndham hotels were hit with data security attacks three times between April 2008 and January 2010, which resulted in nearly $11 million in identity fraud, according to Reuters. The Federal Trade Commission pursued legal action against Wyndham in 2012 but both parties settled the case on 9 December 2015, with Wyndham agreeing to an FTC consent order and the company was absolved of paying any monetary damages.
Compiled by Dan Kubacki.