Resources and information for guests
ADDITIONAL INFORMATION ABOUT THE PRESS RELEASE DATED
APRIL 8, 2015
To Our Valued Guests,
We understand that the recent press release regarding the suspected data breach at food and beverage outlets at 10 of our managed-hotels may have caused concern and inconvenience. To be clear, systems other than the point of sales systems at the food and beverage outlets are not believed to be affected. The unlawfully accessed data at risk is believed to be limited to names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates of credit/debit cards used at the food and beverage outlets at the 10 hotels during the period July 3, 2014 through February 6, 2015.
As stated in the press release, White Lodging Services Corporation (White Lodging) is an independent hotel management company that is separate and distinct from all of the hotel brand companies. White Lodging operates hotels as a franchisee of hotel brand companies (for example Marriott and Starwood) under management agreements with the owner of the hotels.
“After suffering a malware incident in 2014, we took various actions to prevent a recurrence, including engaging a third party security firm to provide security technology and managed services,” said Dave Sibley, White Lodging president and CEO, Hospitality Management. “These security measures were unable to stop the current malware occurrence on point of sale systems at food and beverage outlets in 10 hotels that we manage. We continue to remain committed to investing in the measures necessary to protect the personal information entrusted to us by our valuable guests. We deeply regret and apologize for this situation.”
We are offering one year of complimentary fraud resolution and identity protection services, provided by Experian® Consumer Services (Experian), to those affected by this incident. For more information about how to enroll for this service please send an email to WhiteLodging@protectmyid.com. You will then receive enrollment instructions. Alternatively, you can enroll by calling 1-866-926-9803. If you call this number you will be presented with a recorded message and various options. Press 1 to access the enrollment information. If you are a non-U.S. resident the available services will vary. If you decide to enroll in the service, you will be required to provide your Social Security number for identification purposes.
Please note when these type of incidents occur, some criminals seek to fraudulently obtain the personal information of affected individuals by claiming to be the business that experienced the incident. We advise you NOT to respond to any requests from entities requesting your sensitive personal information in relation to this incident. The hotels, hotel brands, White Lodging, or anyone legitimately contacting you on their behalf will NOT ask you for other sensitive personal information with regard to this incident. (Experian, the service provider we have engaged to provide one year of complimentary personal identity protection services to all affected guests requires your Social Security number if you choose to enroll in the Experian service). We will only ask for the most limited amount of information necessary to provide the identity protection services. If you receive any suspicious looking written or electronic requests purporting to be from the hotels, hotel brands, White Lodging, Experian or anyone please call us at 1-866-926-9803. If you call this number to report suspicious activity you will be presented with a recorded message and various options. Press 1 to reach a call agent.
It is our intention to provide you with as much information as we reasonably can to help you understand what happened, the steps you can take to protect your credit/debit card used at the affected outlets and the steps we have taken to protect you.
We have prepared this information to answer questions you may have about this incident and describe resources that we believe will be informative and helpful to you.
Q: I was a guest at one of the hotels during the time period disclosed but did not use my credit/debit card at food and beverage outlets. Is my credit/debit card data at risk?
A: The preliminary results of the forensic review do not indicate the presence of malicious software on the property management system used at the front desk to process room charges. Thus, your credit/debit card data is not believed to be at risk.
Q: How do I know if my credit/debit card was affected by this incident?
A: If you used your credit/debit card at a food and beverage outlet at any of the following hotels anytime from July 3, 2014 through February 6, 2015, your card may be at risk of theft:
- Indianapolis Marriott Downtown, Indianapolis, IN
- Chicago Marriott Midway Airport, Chicago, IL
- Auburn Hills Marriott Pontiac at Centerpoint, Pontiac, MI
- Austin Marriott South Airport, Austin, TX
- Boulder Marriott, Boulder, CO
- Denver Marriott South at Park Meadows, Denver, CO
- Louisville Marriott Downtown, Louisville, KY
- Renaissance Boulder Flatiron, Broomfield, CO
- Courtyard Austin Downtown, Austin, TX
- Sheraton Hotel Erie Bayyfront, Erie, PA
Q: Why wasn’t I notified directly about this incident?
A: Because this incident affected the point of sale systems at select food and beverage outlets we do not have not have contact information associated with the affected credit/debit cards. Therefore, we could not notify you directly by email, postal mail or telephone.
Q: What happened?
A: On January 27, 2015, White Lodging was initially notified of some unusual activity on credit cards used at four Marriott branded hotels that are managed by White Lodging.
We quickly engaged a third party forensic services provider to conduct an investigation. We also notified the U.S. Secret Service. The preliminary results of the investigation revealed malicious software and remnants of such software on a number of the point of sale terminals used at food and beverage outlets at the hotels previously listed. Because this malicious software (also referred to as malware) was detected, the credit/debit card data entered on these devices was at risk of theft.
Q: What specific information was disclosed about me?
A: The unlawfully accessed data at risk is believed to be limited to names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates.
Q: Was my spouse or other family members’ information also affected?
A: No, only the information of guests who used their credit/debit cards at the affected locations listed above have been impacted by this event.
Q: Why wasn’t this incident announced sooner?
A: We received an initial communication of suspicious activity on credit cards from a credit union on January 27, 2015. Following that communication we promptly notified law enforcement, engaged a security forensic firm and commenced the investigation. The forensic investigation, research to identify the affected locations and cards, the procurement of identity theft protection services and preparation of communications was conducted as quickly as possible.
Q. Who is White Lodging and what is their relationship to Marriott and Starwood?
A: White Lodging is an independent hotel management company that is separate and distinct from all of the hotel brand companies such as Marriott (Marriott, Courtyard and Renaissance brands) and Starwood (Sheraton brand). White Lodging operates hotels as a franchisee of these hotel brand companies under management agreements with the owner of the hotels.
Q: Is this incident related to the breach reported by White Lodging in February 2014?
A: This is a separate incident and not related to the one reported in 2014. However, some of the same hotels were affected by this recent incident.
Q: Why were some of the same hotels affected by the 2014 and 2015 incidents?
A: We implemented various corrective actions at the affected hotels after the 2014 incident to prevent a recurrence, including engaging a third party security firm to provide security technology and managed services. Unfortunately, the security measures put in place did not stop the implantation of malware on point of sale systems at food and beverage outlets in select hotels that we manage. However, we will continue to take steps that are designed to prevent these occurrences and are committed to investing in the measures necessary to protect the personal information entrusted to us by our valuable guests.
Q: Has the person who accessed the information been caught?
A: Law enforcement has not notified us of any arrests; our investigation is on-going and we are fully cooperating with law enforcement and the credit card companies.
Q: What is White Lodging doing to protect me?
A: To help protect your identity, we have engaged Experian, the largest credit bureau in the US, to offer you complimentary fraud resolution and identity protection for one-year.
If you desire to enroll in the Experian service you will be able to do so by sending an email to WhiteLodging@protectmyid.com. If you do not have access to email, a call center agent will be able to facilitate enrollment when you call 1-866-926-9803 and Press 1. Note: If you decide to enroll in the credit monitoring service you will be required to provide your Social Security number to verify your identity. For non-U.S. residents the service offering will vary.
Q: Has the investigation concluded?
A: No, the investigation is on-going and we are fully cooperating with law enforcement and the credit card companies.
Q: What has been done to prevent a reoccurrence in the future?
A: We are taking steps designed to prevent a reoccurrence based on our current and past experiences.
Q: Should I notify the bank (or American Express for Amex cards issued directly) that issued my credit card?
A: You may want to contact the bank or American Express that issued your card and inquire of them if they suggest any additional steps.
Q: Is there an expiration date to take advantage of the one year of complimentary fraud resolution and identity protection services?
A: Yes, you must enroll by July 31, 2015.
Q: When will the complimentary fraud resolution and identity protection services end?
A: The ending date of the services is 12 months after the date you enroll. You must enroll by July 31, 2015.
Q: What is the difference between a fraud alert or security freeze and the service Experian provides?
A: A fraud alert or security freeze placed through Equifax, Experian or Trans Union is a separate service from the Experian fraud resolution and identity protection service.
A fraud alert is an alert that the three major credit reporting companies attach to your credit file. When you, or someone else, attempt to open a credit account, the lender should contact you to verify that you want to open the new account. If you cannot be reached by phone, the credit account should not be opened.
A security freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company.
The Experian fraud resolution and identity protection is a service that monitors for signs of fraud or unauthorized use of your credit card accounts, and provides you with you with a notification of significant changes to your credit files.
Q: What do I do if my credit accounts have been tampered with or if new accounts have been opened fraudulently?
A: If you observe suspicious activity, contact your creditors immediately. Ask to speak to someone in the security or fraud department, and follow up in writing. If you discover a changed billing address on an existing credit card account, close the account. When you open a new account, ask that a password be used before any inquiries or changes can be made on the account. When selecting a password or Personal Identification Number (PIN), avoid using easily available information like your birth date or name.
Information about Identity Theft
Federal Trade Commission
The Federal Trade Commission provides helpful information about how to avoid identity theft.
- Visit: http://www.ftc.gov/idtheft
- Call (toll-free): 1-877-ID-THEFT (1-877-438-4338)
- Write: Consumer Response Center, Federal Trade Commission, 600 Pennsylvania Ave., NW, Washington, DC 20580.
Free Annual Credit Reports
You may obtain a free copy of your credit report once every 12 months.
- Visit: http://www.annualcreditreport.com
- Call (toll-free): 1-877-322-8228
- Write: Complete an Annual Credit Report Request Form and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281 (you can print a copy of the form at http://www.consumer.ftc.gov/articles/pdf-0093-annual-report-request-form.pdf).
You also may purchase a copy of your credit report by contacting one of the three national credit reporting companies.
P. O. Box 740241
Atlanta, GA 30374-0241
P. O. Box 9554
Allen, TX 75013
2 Baldwin Place
P.O. Box 1000
Chester, PA 19022
Fraud Alerts: “Initial Alert” and “Extended Alert”
You can place two types of fraud alerts on your credit report to put your creditors on notice that you may be a victim of fraud: an “Initial Alert” and an “Extended Alert.” An Initial Alert stays on your credit report for 90 days. You may ask that an Initial Alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An Extended Alert stays on your credit report for seven years. To obtain the Extended Alert, you must provide proof to the credit reporting company (usually in the form of a police report) that you actually have been a victim of identity theft. You have the right to obtain a police report regarding the data security incident. You can place a fraud alert on your credit report by calling the toll-free fraud number of any of the three credit reporting companies provided above.
A potential drawback to activating a fraud alert would occur when you attempt to open a new account. You would need to be available at either your work phone number or home phone number in order to approve opening the new credit account. If you are not available at either of those numbers, the creditor may not open the account. In addition, it may take longer to obtain credit and in some cases merchants may be hesitant to open a new account.
Fraud alerts will not necessarily prevent someone else from opening an account in your name. A creditor is not required by law to contact you if you have a fraud alert in place. Fraud alerts can legally be ignored by creditors. If you suspect that you are or have already been a victim of identity theft, fraud alerts are only a small part of protecting your credit. You also need to pay close attention to your credit report to make sure that the only credit inquiries or new credit accounts in your file are yours.
You may contact all of the three major credit reporting agencies using the information below that they have published. Credit agencies will need to verify your identity which will require providing your Social Security number and other similar information.
P.O. Box 2000
Chester, PA 19022-2000
P. O. Box 740241
Atlanta, GA 30374-0241
P. O. Box 9554
Allen, TX 75013
Placing a fraud alert does not damage your credit or credit score. Additional information may be obtained from www.annualcreditreport.com.
Credit or Security Freeze on Credit File
In some U.S. states, you have the right to put a credit freeze (also known as a security freeze) on your credit file. A credit freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company. If permitted in your State, using a security freeze may interfere with, or delay your ability to obtain credit.
A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent; however, using a security freeze may interfere with or delay your ability to obtain credit. To place a security freeze on your credit report, contact the credit reporting agencies using the information below, and be prepared to provide the following (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well):
(1) full name, with middle initial and any suffixes;
(2) Social Security number;
(3) date of birth;
(4) current address and any previous addresses for the past two years; and
(5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles.
The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. The consumer reporting agency may charge a fee of between $5.00 and $20.00 to place, lift, and/or remove a freeze, unless you are a victim of identity theft or the spouse of a victim of identity theft, and you have submitted a valid police report relating to the identity theft incident to the consumer reporting agency. The addresses of consumer reporting agencies to which requests for a security freeze may be sent are:
P.O. Box 2000
Chester, PA 19022-2000
Equifax Security Freeze
P.O. Box 105788
Atlanta, Georgia 30348
P. O. Box 9532
Allen, TX 75013
The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (PIN) or password, or both that can be used by you to authorize the removal or lifting of the security freeze.
To lift the security freeze to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include:
- proper identification (name, address, and Social Security number);
- the PIN or password provided to you when you placed the security freeze; and
- the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available.
The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.