Hutton Hotel POS systems compromised with malware for four years

Hutton Hotel POS systems compromised with malware for four years

Nashville-based Hutton Hotel revealed a serious security breach that affected all customers who used their credit or debit cards at the hotel since September 2012. Hutton Hotel said hotel's payment processor discovered the breach and notified hotel officials.

Following an initial assertion of the security breach, Hutton Hotel has learned that point-of-sale systems used at its check-in counter and onsite food-and-beverage outlets had been infected with malware. All guests who used their payment card to pay for reservations and rooms between Sept. 19, 2012, and April 16, 2015, might have had their payment card data stolen.

Additionally, the malware was also present in the POS system used at the onsite food-and-beverage outlets from Sept. 19, 2012, to Jan. 15, 2015, and then from Aug. 12, 2015, to June 10, 2016.

Virtual Event

HOTEL OPTIMIZATION PART 2 | SEPTEMBER 10 & 24, 2020

Survival in these times is highly dependent on a hotel's ability to quickly adapt and pivot their business to meet the current needs of travelers and the surrounding community. Join us for Optimization Part 2 – a FREE virtual event – as we bring together top players in the industry to discuss alternative uses when occupancy is down, ways to boost F&B revenue, how to help your staff adjust to new challenges and more, in a series of panels focused on how you can regain profitability during this crisis.


In past payment card breaches, you generally see a POS malware infection going undetected for one or two years, reports Softpedia. At Hutton Hotel, the POS malware infiltration managed to stay hidden for a whopping four years.

Hutton Hotel says it has put in place new security measures and is now using "standalone payment processing devices" although it didn't explain how that helps. Law enforcement has been notified, and the hotel is working with payment card companies to identify those affected, reports BankInfoSecurity.

"For those guests that we can identify as having used their payment card during the at-risk window and for whom we have a mailing or email address, we will be mailing a letter or sending an email to them," it said.

Suggested Articles

The absolute occupancy and RevPAR levels were the lowest for any Q3 in STR’s U.S. database.

Implementation of Volara’s contactless guest engagement and touchless room controls system is part of a rollout by Viceroy Hotels & Resorts.

U.S. hotel occupancy was virtually flat at 50.1 percent during the week of Oct. 11-17, according to the latest data from STR.