CLEVELAND, Ohio -- While we've had data breaches this year involving the Internal Revenue Service, Anthem Blue Cross and federal workers, it's been a while since we had a big retail data breach. That changed this weekend.
Hilton hotels and its related companies are investigating a suspected breach of customer credit and debit card numbers inside its hotels, including its Hilton brand, as well as its Doubletree, Embassy Suites and Hampton Inn operations.
It's believed that reservations and room payments were not affected, but payment card information was stolen at point-of-sale cash registers inside the hotels, including restaurants, gift shops and coffee shops, according to Krebs On Security, a website that focuses on cybersecurity, which first reported the breach.
It's not yet known when the breach started. It could have started in April. The trouble could have started late last year.
In a written statement, Hilton said the company is investigating. "Hilton Worldwide is strongly committed to protecting our customers' credit card information," the company said. "We have many systems in place and work with some of the top experts in the field to address data security.
"Unfortunately the possibility of fraudulent credit card activity is all too common for every company in today's marketplace. We take any potential issue very seriously, and we are looking into this matter."
The disclosure comes as the United States' payment system will deal with a new chapter when retailers on Oct. 1 will be required to have payment terminals that accept EMV chip cards. The new technology makes a conventional data breach impossible because the cards don't share the account data or any personal information with a store, restaurant or other merchant. In reality, though, only a fraction of payment terminals nationwide will be in compliance this week.
In the mean time, if you've patronized a Hilton, Doubletree, Embassy Suites or Hampton hotel in the last year, you may want to consider some protective steps:
1. If you used a debit card inside a Hilton during the last year, you should cancel your debit card immediately and you should not get a new one reissued. You should realize that any money you have in that account could be at risk. Monitor this account closely in the days and weeks ahead.
2. Watch out for suspicious emails or phone calls that try to trick you into disclosing personal information.
With a data breach of this scale, many of us will receive emails and calls that falsely claim to be from one of the hotel chains and ask us to click on links or fill out forms or provide even more personal information. This will be an attempt to defraud you.
If anyone contacts you by email or phone and says he's from the hotel chain, or your bank or credit card company, or any investigator, hang up. If you don't hang up for some reason, then do not provide any information, such as your Social Security number, date of birth, bank account information, etc.
Remember that stores, banks and investigators will never contact you out of the blue and ask for personal information such as account numbers, Social Security numbers, passwords, etc. Never. Ever. Don't click on links or reply with any information.
(This same warning applies to anyone who ever calls you and claims to be from Microsoft or Apple support and says you have a problem with your computer and the caller needs access to your computer to fix it. Just don't. Ever. Hang up without saying bye.)
3. Monitor your credit card and bank accounts and monthly statements even more thoroughly than before.
4. Set up email and/or text alerts for any credit or debit cards you have. Most banks allow you to customize what kind of alerts you want -- for purchases above a certain dollar amount, say $300? Or if your checking account drops below a certain level? With the risk of fraud increasing every day, you shouldn't wait for your weekly online check-in or your monthly statement to find out you've got a problem.
5. If you know you used a particular credit or debit card at a Hilton sometime during the last several months, get geared up for a new account number. Do you have any bills paid automatically from the account, such as your cell phone bill, gym membership, etc.? Be prepared to pay those expenses in another way if your card number gets changed.
6. If you used a debit card at a Hilton, or if you use it at merchant, you should make it a priority to open another account at a bank or credit union so that you have a back-up account if the first account gets raided by fraud on your debit card.
7. Take this as another wake-up call that you need to do something about that debit card. Debit card fraud has been increasing by 30 percent a year the last few years. About one in 14 consumers has been hit by debit card fraud in the last five years. You say you've never had a problem? All debit cards are safe, until they're not.
8. If you haven't gotten a chip card for every single credit card and debit card you have, ask your bank when it's going to replace your card with the safer technology.
9. Create a separate email address to give to retailers or social media sites. If you use your primary email for important business like your banking and investing and another email for retailers, there will be an immediate red flag if you get an email that looks like it's from your bank but it arrives in your other email account.
10. If you have a P.O. Box or a work mailing address that you can give out to retailers, do that. Again, a fraudulent letter arriving at your office would trigger suspicion, but it might not as quickly at home.
The alternative to using a separate mailing address: If you have rewards cards or order products for pickup from stores, give the store a different (incorrect) spelling of your name or throw in an incorrect middle name.
11. If you have an online account with a Hilton property, change your password. This could be an online account for a Hilton rewards program or some other account. Either way, change the password. And if you have used this password with any other online accounts, change those passwords too.