Third-party security breach impacts Drury Hotels

Pittsburgh hotel exterior
Drury Hotels is encouraging guests to closely review payment-card statements for any unauthorized charges. Photo credit: Drury Hotels

Drury Hotels is investigating a security incident experienced by a third-party technology service provider. The provider, a company that Drury Hotels and other hotel companies use to collect reservations made by guests on third-party online booking websites and enter them into its system, notified Drury that it was investigating unauthorized access to the provider's network.  

While Drury isn’t publicly saying who the service provider is, the provider has advised the hotel that certain transaction records from some third-party online booking sites were accessed between Dec. 29, 2017 and March 13, 2019. Reservations that were made directly with Drury Hotels were not involved in this incident. The service provider reported that it had hired a cybersecurity firm to conduct an investigation.   

The information in the transaction records that were involved included name, payment card number, expiration date and the card's external verification code. Some transaction records also included mailing addresses or email addresses. Specific details regarding the reservation itself were not involved. Only transaction records from some third-party online booking websites were involved. Only some, not all, of the transaction records from those booking sites were involved, the hotel company said. Drury is encouraging guests to closely review payment-card statements for any unauthorized charges.  

“We regret that this incident occurred and apologize for any inconvenience. Since then Drury Hotels has worked closely with the service provider to get updates on its investigation,” the hotel company said in a statement. “We received a list of the specific transaction records that were involved on May 15, 2019. For the transaction records that contained a mailing address, Drury Hotels is mailing letters to those individuals. For transaction records without an address that contained an email address, Drury Hotels is sending email notifications to those individuals. And Drury Hotels issued this press release and posted a notification on its website to provide notification to others involved. If you do not receive a notification letter or email, either your information was not involved in this incident or the list from the service provider did not contain your mailing address or email address.”
Drury Hotels received confirmation from the service provider that it has undertaken measures to prevent something like this from happening again, the company also said. The hotel will continue to work with the service provider to identify the security enhancements it is implementing.

Continuing Trend

Nearly 70 percent of travel buyers say their travelers have been affected by a payment-related data breach from an outside vendor such as a hotel, airline or retailer in the past year, according to new research from the Global Business Travel Association in partnership with AirPlus International. 

The survey of 144 U.S. travel buyers also revealed that they believe the risk of fraud is growing, with two-thirds (68 percent) saying travel programs face a greater threat today than they did two or three years ago.

Two years ago, Sabre Corporation disclosed a breach of its SynXis central-reservations system that may have exposed consumers' payment-card data and personally identifiable information. According to an SEC filing made by the company, the $3.37 billion corporation acknowledged that its SynXis software-as-a-service platform was accessed by an unauthorized party, who gained access to payment information corresponding to a subset of hotel reservations. Sabre did not specify when or how the actual intrusion took place or how many records are potentially affected. Sabre does not believe any other system was affected.

Marriott International disclosed last year a massive data breach exposing the personal and financial information of as many as a half a billion customers who made reservations at hotels the company acquired from Starwood Hotels & Resorts Worldwide properties. A statement from Marriott said investigators also found an unauthorized party had “copied and encrypted information, and took steps toward removing it.” The breach lasted for four years.

For as many as 327 million guests, compromised information could include passport information, telephone numbers and email addresses. In addition, some other guests' credit card information was within the hackers' reach, according to the company.

Earlier in 2018, Orbitz disclosed a security breach that may have exposed the data of thousands of customers, including information on 880,000 payment cards. The Expedia-owned travel website operator said the breach affected an older website and the platform of an unnamed business partner. The hackers “likely accessed” people’s names, dates of birth, email addresses, street addresses and genders, Orbitz said.