FAQ
Update as of November 3, 2017: After extensive internal and external forensic examinations performed by third-party Qualified Security Assessors that concluded on September 18, 2017, and subsequent review of the results by MHR's Payment Card Processor and Merchant Bank, under supervision of the affected card brands, it was determined that there was no evidence of cardholder data being accessed, collected, or exfiltrated from MHR's cardholder data environment in connection with the suspected cyber event referenced below. MHR will now close this investigation.
1. What happened?
Millennium Hotels & Resorts North America (MHR) was notified of a potential data security incident by the U.S. Secret Service involving point of sale systems that processed customer card payments, primarily within food and beverage facilities operating at 14 MHR hotels in the United States.
Initial information suggests that the period during which the MHR point of sale systems were affected was between early March, 2016 and mid-June, 2016.
Subsequently, MHR was notified by a third-party service provider—that supplies and services the affected point of sale systems—that it had detected and addressed “malicious code” in certain of its legacy systems, including those used by MHR.
2. What information was involved?
The information that may have been affected includes payment card account information. This information may include first and last name, depending on the card used, as well as the payment card number.
3. Where did this happen and why was my information affected?
Based on information provided by the U.S. Secret Service, the 14 MHR locations include the following properties:
- The Lakefront Anchorage, Alaska
- The McCormick Scottsdale, Arizona
- Millennium Biltmore Los Angeles, California
- Millennium Harvest House Boulder, Colorado
- Millennium Knickerbocker Chicago, Illinois
- Millennium Bostonian Hotel Boston, Massachusetts
- Millennium Minneapolis, Minnesota
- Millennium Hotel Buffalo, New York
- ONE UN New York, New York
- Millennium Broadway New York Times Square, New York
- The Premier Times Square by Millennium, New York
- Millennium Hotel Durham, North Carolina
- Millennium Cincinnati, Ohio
- Millennium Maxwell Hotel Nashville, Tennessee
If you used a payment card at a restaurant or retail facility at any of the foregoing locations during the relevant period, your information may have been processed by one of the affected point of sale systems. The affected point of sale systems are separate from other MHR systems. There is no evidence at the time of this release that other MHR systems, including its hotel booking system, have been affected by the incident. The hotel booking system covers room charges and other charges billed to a customer’s room and settled at checkout.
4. What is malicious code?
"Malicious code" refers to software programs designed to damage or conduct other unwanted actions on a computer system.
5. What has MHR done about this incident?
Once notified, MHR took immediate steps to investigate and isolate the card processing elements of the affected point of sale systems, which were taken offline. After being informed by the third-party service provider that it had detected and addressed malicious code in certain of its legacy point of sale systems, MHR immediately adopted additional security measures as recommended by the third-party service provider.
6. What is MHR doing about this so it does not happen again?
MHR is committed to protecting customers' payment card information. MHR has engaged a third party cyber forensic expert to help strengthen our security standards. Although no one can guarantee the security of any online system, MHR continually strives to review our security practices in light of the ever-evolving cyber landscape and the challenges presented by cyber criminals.
7. Is it safe to use my debit/credit card at MHR?
Given the immediate steps taken by MHR to remove the affected card processing systems and replace them with even more secure systems; it is safe to use your payment cards at MHR properties located worldwide.
8. Were there other individuals affected by this breach, or am I the only one?
Based on information MHR has obtained from the U.S. Secret Service and our own investigation, it appears that a number of payment cards may have been affected by the incident. We regard any breach of security as a vital issue to be addressed, no matter how many customers are affected.
9. Have the persons or cyber criminals who accessed the information been caught
The U.S. Secret Service is investigating this incident and will work to bring the cyber criminals responsible for the incident to justice and prosecution to fullest extent of the law. MHR is cooperating fully with law enforcement regarding this matter.
10. Will we receive any additional information or updates?
MHR will continue to provide material updates as frequently as possible.
11. What else should affected customers do?
It is recommended that you remain vigilant, review your relevant account statements, and monitor your credit reports for suspicious activity. You can further educate yourself regarding fraud alerts, security freezes, and steps you can take toward preventing identity theft by contacting your state Attorney General or the Federal Trade Commission. The Federal Trade Commission can be reached at:
www.ftc.gov/bcp/edu/microsites/idtheft/
1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Some state laws advise you to report any suspected identity theft to law enforcement, your state’s Attorney General, and the Federal Trade Commission.
Under U.S. law, you are entitled to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report:
Equifax
P.O. Box 740241
Atlanta, GA 30348
800-685-1111
www.equifax.com
Experian
P.O. Box 2104
Allen, TX 75013
888-397-3742
www.experian.com
TransUnion
P.O. Box 2000
Chester, PA 19022
800-888-4213
www.transunion.com