Luxury hotel chain Nobel House Hotels and Resorts is notifying customers of a breach they uncovered in the wake of reports by customers of fraudulent charges on payment cards.
In a letter sent to those potentially affected, Patrick R. Colee, Chairman of Noble House Hotels & Resorts, writes, in part:
Through our investigation, Noble House learned that malware may have been installed on payment processing systems that potentially affected cards swiped at the following properties:
- The Portofino Hotel and Marina, Redondo Beach, CA, from April 3, 2015 to August 11, 2015;
- The Edgewater, Seattle, WA, from December 29, 2014 to August 11, 2015;
- Little Palm Island Resort and Spa, Florida Keys, FL, from December 29, 2014 to May 22, 2015;
- Mountain Lodge Telluride, Telluride, CO, from December 29, 2014 to May 27, 2015;
- Ocean Key Resort and Spa, Key West, FL, from December 29, 2014 to August 6, 2015
- River Terrace Inn, Napa, CA, from December 29, 2014 to August 11, 2015.
The information potentially compromised by the malware involves data found in the magnetic stripe on payment cards, which includes the cardholder name, card number, expiration date, and CVV number.
It’s not clear from their notification whether there was (just) one malware incident that began in December, 2014, or if there was also a second incident in April, 2015. The metadata submitted with the copy of the notification indicates that they discovered the breach on October 15, 2015.
In response to the discovery, Noble House notified the FBI and also encouraged customers to remain vigilant and report any suspicious charges to their financial institutions. They also offered to reimburse any unreimbursed charges:
If you incurred costs that your financial institution declined to reimburse related to fraudulent charges on a payment card you used at one of the above properties, please contact us at the number below. We will reimburse you for any such reasonable, documented costs that your financial institution declined to pay.