Data Security Notice
UPDATE as of November 3, 2017: After extensive internal and external forensic examinations performed by third-party Qualified Security Assessors that concluded on September 18, 2017, and subsequent review of the results by MHR's Payment Card Processor and Merchant Bank, under supervison of the affected card brands, it was determined that there was no evidence of cardholder data being accessed, collected, or exfiltrated from MHR's cardholder data environment in connection with the suspected cyber event referenced below. MHR will now close this investigation.
Notice to Customers of Millennium Hotels & Resorts North America
Potential Data Security Incident
August 25, 2016: Millennium Hotels & Resorts North America (MHR) has become aware of a data security incident involving food and beverage point of sale systems at 14 of its hotels in the United States.
The company advises customers to review their payment card account statements closely and to report unauthorized charges to their card issuer immediately. Payment card rules generally provide that cardholders are not responsible for unauthorized charges that are reported in a timely manner.
The company has engaged third-party cyber forensic experts to investigate the incident. To date, the investigation has not identified the presence of “malware” on any MHR systems. Initial information suggests that the incident affected point of sale systems that processed customer card payments - primarily within food and beverage facilities operating at the hotels - between early March, 2016 and mid-June, 2016.
MHR originally was notified of the incident by the U.S. Secret Service and took immediate steps to investigate and isolate the card processing elements of the affected point of sale systems, which were taken offline.
Subsequently, MHR was notified by a third-party service provider—that supplies and services the affected point of sales systems—that it had detected and addressed malicious code in certain of its legacy point of sale systems, including those used by MHR. MHR immediately adopted additional security measures as recommended by the third-party service provider.
The affected systems are separate from other MHR systems, including MHR’s hotel property management and booking systems. The results from MHR’s current investigation do not indicate compromise of those other systems.
If you have any further questions, you can refer to our FAQ section.