Resources and information for guests
Read the most recent press release about the payment card investigation.
ADDITIONAL INFORMATION ABOUT THE PRESS RELEASE DATED
FEBRUARY 3, 2014
To Our Valued Guests,
We understand that the recent press release regarding the suspected data breach at some of our managed-hotels may have caused concern and inconvenience. To be clear, our investigation revealed that the food and beverage outlets at 14 hotels were affected. At one of these hotels both the property management system used to process guests’ credit card data and the point of sale system at the food and beverage outlets were affected. This incident was communicated in a press release because we do not have contact information for the affected cardholders.
We deeply regret and apologize for this situation. Please be assured that we take the protection of the information you entrust to use seriously and are working to prevent a recurrence in the future. It is our intention to provide you with as much information as we reasonably can to help you understand what happened, the steps you can take to protect your credit/debit card and the steps we have taken to protect you.
Please note when these type of incidents occur, some criminals seek to fraudulently obtain the personal information of affected individuals by claiming to be the business that experienced the incident. We advise you NOT to respond to any requests from entities requesting your sensitive personal information in relation to this incident. The hotels, hotel brands, White Lodging, AllClearID (the service provider we have engaged to provide one year of complimentary personal identity protection services to all affected cardholders) or anyone legitimately contacting you on their behalf will NOT ask you for other sensitive personal information with regard to this incident. We will only ask for the most limited amount of information necessary to provide the identity protection services. If you receive any suspicious looking written or electronic requests purporting to be from the hotels, hotel brands, White Lodging, AllClearID or anyone please call us at 1-855-865-4453.
We have prepared this information to answer questions you may have about this incident and describe resources that we believe will be informative and helpful to you.
As mentioned, we are also offering one year of complimentary personal identity theft protection services, provided by AllClearID, to those affected by this incident.
For more information about how to enroll for this service please call 1-855-865-4453 or visit https://whitelodging.allclearid.com. If you are a non-U.S. resident the available services will vary.
Q: What happened?
A: On January 16, 2014, White Lodging was notified that there was a suspected breach of credit/debit card data during the period March 20 – December 16, 2013 at food and beverage outlets at the following hotels:
• Marriott Midway, Chicago, IL
• Holiday Inn Midway, Chicago, IL
• Holiday Inn Austin Northwest, Austin, TX
• Sheraton Erie Bayfront, Erie, PA
• Westin Austin at the Domain, Austin, TX
• Marriott Boulder, Boulder, CO
• Marriott Denver South, Denver, CO
• Marriott Austin South, Austin, TX
• Marriott Indianapolis Downtown, Indianapolis, IN
• Marriott Richmond Downtown, Richmond, VA
• Marriott Louisville Downtown, Louisville KY
• Renaissance Plantation, Plantation, FL
• Renaissance Broomfield Flatiron, Broomfield, CO
• Radisson Star Plaza, Merrillville, IN
At the Radisson Star Plaza in Merrillville, IN, we suspect that the point of sales system at food and beverage outlets and the property management system that manages hotel guests’ credit card information was affected.
We quickly engaged a third party forensic services provider to conduct an investigation. We also notified the U.S. Secret Service and FBI. The preliminary results of the investigation revealed malicious software and remnants of such software on a number of the point of sale terminals used at food and beverage outlets at these hotels. Because this malicious software (also referred to as malware) was detected, the credit/debit card data entered on these devices was at risk of theft.
Q: What specific information was disclosed about me?
A: The unlawfully accessed data may have included names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates.
Q: Was my spouse or other family members’ information also affected?
A: Only the information of guests who used their credit cards at the affected locations listed above have been impacted by this event.
Q: Why wasn’t this incident announced sooner?
A: We were informed of the suspected breach on January 16, 2014 and then promptly contacted law enforcement engaged a security forensic firm and commenced the investigation. The forensic investigation, research to identify the affected locations and cards, the procurement of identity theft protection services and preparation of communications was conducted as fast as we could.
Q. Who is White Lodging Services Corporation and what is their relationship to Marriott, Sheraton, Holiday Inn, Radisson and Westin?
A: White Lodging is an independent hotel management company that is separate and distinct from all of the hotel brand companies. White Lodging operates hotels as a franchisee of these hotel brand companies under management agreements with the owner of the hotels.
Q: Is this incident related to the Target incident?
A: We have no indication that there is any relationship to any of the other recent incidents in the news.
Q: Has the person who accessed the information been caught?
A: Law enforcement has not notified us of any arrests; our investigation is on-going and we are fully cooperating with law enforcement and the credit card companies.
Q: I was a guest at one of the hotels during the time period disclosed but did not use my credit/debit card at food and beverage outlets. Is my credit/debit card data at risk?
A: The preliminary results of the forensic review do not indicate the presence of malicious software on the property management system used at the front desk to process room charges. Thus, your credit/debit card data is not believed to be at risk.
However, if you were a guest at the Radisson Star Plaza in Merrillville, IN property during March 20 – December 16, 2013, your credit card may be affected, assuming you paid for your stay with a credit card.
Q: Has anything been done to protect my credit/debit card from being misused?
A: Yes, the credit card companies have already sent all affected credit/debit card numbers to the banks that issued the cards so that they can increase their fraud monitoring on the card or reissue the card if they believe that is necessary. For example, if you used a credit card that was issued by Bank of America at one of the locations named in the press release during the March 20 – December 16, 2013 time period, Bank of America already knows your card may have been affected. In addition, the policies of the payment card brands such as Visa, MasterCard, American Express and Discover provide that you have zero liability for any unauthorized charges if you report them in a timely manner.
We are also offering one year of complimentary personal identity theft protection services, provided by AllClearID, to those affected by this incident.
If you desire to enroll in the AllClearID service you will be able to do so via the Internet at https://whitelodging.allclearid.com. If you do not have access to the Internet, a call center agent will be able to facilitate enrollment when you call 1-855-865-4453. Note: If you decide to enroll in the credit monitoring service you will be required to provide your Social Security number to verify your identity. For non-U.S. residents the service offering will vary.
Q: Has the investigation concluded?
A: No, the investigation is on-going and we are fully cooperating with law enforcement and the credit card companies.
Q: What has been done to prevent a reoccurrence in the future?
A: We are examining the likely root causes of this incident and are taking steps designed to prevent a reoccurrence.
Q: Should I notify the bank (or American Express for Amex cards issued directly) that issued my credit card?
A: While the issuing banks have already been notified and they are either increasing the fraud monitoring on your card or may reissue it, you may want to contact them and inquire of them any additional next steps that they suggest.
Q: Is there an expiration date to take advantage of the one year of complimentary personal identity theft protection services?
A: Yes, you must enroll by May 7, 2014.
Q: When will the personal identity theft protection services end?
A: The ending date of the services is May 7, 2015. Thus, if you enroll before May 7, 2014 you will receive more than one year of protection.
Q: What is the difference between a fraud alert or security freeze and the service AllClearID provides?
A: A fraud alert or security freeze placed through Equifax, Experian or Trans Union is a separate service from the AllClearID personal identity theft protection service.
A fraud alert is an alert that the three major credit reporting companies attach to your credit file. When you, or someone else, attempt to open a credit account, the lender should contact you by phone to verify that you want to open the new account. If you cannot be reached by phone, the credit account should not be opened.
A security freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company.
The AllClearID credit monitoring service is a service that monitors the a major credit bureau for signs of fraud or unauthorized use of your credit card accounts, and provides you with you with a notification of significant changes to your credit files.
Q: What do I do if my credit accounts have been tampered with or if new accounts have been opened fraudulently?
A: If you observe suspicious activity, contact your creditors immediately. Ask to speak to someone in the security or fraud department, and follow up in writing. If you discover a changed billing address on an existing credit card account, close the account. When you open a new account, ask that a password be used before any inquiries or changes can be made on the account. When selecting a password or Personal Identification Number (PIN), avoid using easily available information like your birth date or name.
ADDITIONAL RESOURCES, CREDIT ALERTS AND FREEZES
Information about Identity Theft
Federal Trade Commission
The Federal Trade Commission provides helpful information about how to avoid identity theft.
• Visit: http://www.ftc.gov/idtheft
• Call (toll-free): 1-877-ID-THEFT (1-877-438-4338)
• Write: Consumer Response Center, Federal Trade Commission, 600 Pennsylvania Ave., NW, Washington, DC 20580.
State Specific Information
Some States provide additional information and resources to assist their residents when there is a data security breach.
Under Maryland and federal law, you are entitled to two FREE credit reports from each of the Credit Reporting Agencies each year. Go to www.annualcreditreport.com or call 1-877-322-8228 to access your report through the federal Fair Credit Reporting Act. You must contact each of the three Credit Reporting Agencies individually to access your credit report under Maryland law. The contact information for these agencies is contained on the next page.
For more information on identity theft you can contact Maryland’s Office of the Attorney General, Address: 200 St. Paul Place, Baltimore, MD 21202; Telephone: (410) 576-6491 website www.oag.state.md.us/idtheft/index.htm.
North Carolina Residents
For more information on identity theft you can contact the North Carolina’s Attorney General’s Office, Address: 9001 Mail Service Center, Raleigh, NC 27699-9001; Telephone: (919) 716-6400; Fax: (919) 716-6750; website: http://www.ncdoj.com/.
You may place a “security freeze” on your credit report if you are the victim of identity theft. A security freeze allows consumers to stop the use of their credit report to open new accounts unless the consumer gives the business specific authority to review the credit report. For more information, please visit the following website: http://www.atg.state.vt.us/issues/consumer-protection/identity-theft.php
West Virginia Residents
West Virginia residents may place a security freeze on their credit report by requesting one in writing by certified or overnight mail to any credit reporting agency. A security freeze prohibits, with certain exceptions, the credit reporting agency from releasing any information contained within a consumer's credit report without the express authorization of the consumer. If a consumer later wants to open a new credit account, he can lift the security freeze for a temporary period of time. If the consumer is a victim of identity theft, there is no charge to place or lift the freeze. For all others, the credit reporting agency can charge up to $5.00 for each time a freeze is placed or removed. For more information on reporting and recovering from identity theft, please contact the Attorney General Office’s Consumer Protection Hotline at 1-800-368-8808.
Free Annual Credit Reports
You may obtain a free copy of your credit report once every 12 months.
• Visit: http://www.annualcreditreport.com
• Call (toll-free): 1-877-322-8228
• Write: Complete an Annual Credit Report Request Form and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281 (you can print a copy of the form at http://www.consumer.ftc.gov/articles/pdf-0093-annual-report-request-form.pdf).
You also may purchase a copy of your credit report by contacting one of the three national credit reporting companies.
P. O. Box 740241
Atlanta, GA 30374-0241
P. O. Box 9554
Allen, TX 75013
2 Baldwin Place
P.O. Box 1000
Chester, PA 19022
Fraud Alerts: “Initial Alert” and “Extended Alert”
You can place two types of fraud alerts on your credit report to put your creditors on notice that you may be a victim of fraud: an “Initial Alert” and an “Extended Alert.” An Initial Alert stays on your credit report for 90 days. You may ask that an Initial Alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An Extended Alert stays on your credit report for seven years. To obtain the Extended Alert, you must provide proof to the credit reporting company (usually in the form of a police report) that you actually have been a victim of identity theft. You have the right to obtain a police report regarding the data security incident. You can place a fraud alert on your credit report by calling the toll-free fraud number of any of the three credit reporting companies provided above.
A potential drawback to activating a fraud alert would occur when you attempt to open a new account. You would need to be available at either your work phone number or home phone number in order to approve opening the new credit account. If you are not available at either of those numbers, the creditor may not open the account. In addition, it may take longer to obtain credit and in some cases merchants may be hesitant to open a new account.
Fraud alerts will not necessarily prevent someone else from opening an account in your name. A creditor is not required by law to contact you if you have a fraud alert in place. Fraud alerts can legally be ignored by creditors. If you suspect that you are or have already been a victim of identity theft, fraud alerts are only a small part of protecting your credit. You also need to pay close attention to your credit report to make sure that the only credit inquiries or new credit accounts in your file are yours.
You may contact all of the three major credit reporting agencies using the information below that they have published. Credit agencies will need to verify your identity which will require providing your Social Security number and other similar information.
P.O. Box 2000
Chester, PA 19022-2000
P. O. Box 740241
Atlanta, GA 30374-0241
P. O. Box 9554
Allen, TX 75013
Placing a fraud alert does not damage your credit or credit score. Additional information may be obtained from www.annualcreditreport.com.
Credit or Security Freeze on Credit File
In some U.S. states, you have the right to put a credit freeze (also known as a security freeze) on your credit file. A credit freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting company. If permitted in your State, using a security freeze may interfere with, or delay your ability to obtain credit.
A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent; however, using a security freeze may interfere with or delay your ability to obtain credit. To place a security freeze on your credit report, contact the credit reporting agencies using the information below, and be prepared to provide the following (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well):
(1) full name, with middle initial and any suffixes;
(2) Social Security number;
(3) date of birth;
(4) current address and any previous addresses for the past two years; and
(5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles.
The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue. The consumer reporting agency may charge a fee of between $5.00 and $20.00 to place, lift, and/or remove a freeze, unless you are a victim of identity theft or the spouse of a victim of identity theft, and you have submitted a valid police report relating to the identity theft incident to the consumer reporting agency. The addresses of consumer reporting agencies to which requests for a security freeze may be sent are:
P.O. Box 2000
Chester, PA 19022-2000
Equifax Security Freeze
P.O. Box 105788
Atlanta, Georgia 30348
P. O. Box 9532
Allen, TX 75013
The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (PIN) or password, or both that can be used by you to authorize the removal or lifting of the security freeze.
To lift the security freeze to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include:
• proper identification (name, address, and Social Security number);
• the PIN or password provided to you when you placed the security freeze; and
• the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available.
The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.