Two Hawaii Data Breaches Affecting the Tourist Industry Announced on the Same Day

By MDL on March 4, 2017

Two Hawaii Data Breaches Affecting the Tourist Industry Announced on the Same Day

Both Roberts Hawaii and Turtle Bay Resort notified their customers of “payment card incidents” involving the theft of credit card information on February 24, 2017.

Roberts Hawaii, a popular, well-established local tour company

On Feb 24, 2017, Roberts Hawaii notified customers that its website had been hacked and customer payment card information was stolen.

What Happened: According to a webpage set up by Roberts Hawaii, “an unauthorized person had gained access to the company’s web server and surreptitiously installed code designed to copy information entered during the checkout process, including order ID, name, address, email address, phone number, payment card number, expiration date and card security code.“

The data breach was discovered when “several customers” reported fraudulent credit card charges “shortly after” those cards were used to make an online purchase from the Roberts Hawaii site.

Dates Affected: July 30, 2015 to December 14, 2016

Mitigation Efforts: The unauthorized code was removed. “All payment collection pages on the compromised server were replaced entirely with third party online booking software “

Roberts Hawaii says it is working to strengthen the security of their website to prevent future occurrences. An unnamed cybersecurity firm is assisting with the investigation.

Company Response:

The company made a statement in an open letter to their customers “Roberts Hawaii is notifying its customers of a payment card incident, and encouraging them to remain vigilant against possible fraudulent activity on their cards.”

To provide more information to their customers, the company set up a webpage titled “Protecting Our Customers” and a provided the number to their call center (877) 235-0796.

Attribution: No suspects named.

Benchmark, the management company and property owners of Turtle Bay Resort

On Feb 24, 2017, Benchmark notified customers of a “payment card incident” at six locations managed by Benchmark Resorts & Hotels. Turtle Bay Resort in Kahuku, HI was one of the locations affected.

What Happened: In a message from Benchmark, the company says it “identified an unauthorized file designed to capture payment card information as it is routed through our payment processing system.”  The malware “searched for track data including cardholder name, payment card account number, card expiration date, and verification code,” and was installed on payment card processing devices at Benchmark managed properties.  

Dates Affected: October 23, 2016 to January 1, 2017. Turtle Bay affected: October 23, 2016 to December 22, 2016

Locations Affected: Turtle Bay Resort, Kahuku-Oahu, HI, (Food & Beverage) and five other resorts across the US.

Mitigation Efforts:  “Benchmark has taken measures to contain this incident and eradicate the malware.”

Company Response: “We immediately hired a leading cybersecurity firm to assist with our investigation across all of our properties.” Benchmark says they are working to strengthen their security “including completing the implementation of point to point encryption and installation of EMV readers at our properties.  We are also working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring on the affected cards.” Turtle Bay Resort has included a link from their home page titled “Payment Card Incident” to a Benchmark informational webpage at that also includes a contact phone number, tips to protect against fraud, and contact information for credit reporting companies.

Attribution: No suspects named.

Sources: Roberts Hawaii, Protecting Our Customers. Pacific Business News, Roberts Hawaii customer information stolen in website hack. Hawaii News Now, Credit card, personal info targeted in Hawaii tour company hack. KHON 2, Turtle Bay Resort, Roberts Hawaii issue warnings after payment systems hacked. Information Security Newspaper, ROBERTS HAWAII TOUR COMPANY HACKED, CREDIT CARD AND PERSONAL INFO EXPOSED. Benchmark. BENCHMARK NOTIFIES CUSTOMERS OF PAYMENT CARD INCIDENT