HONG KONG – Earlier this year, Mandarin Oriental discovered a malware attack on our credit card systems in a number of our hotels listed below. In response, we issued a public statement on our website to alert guests to the attack so they could take proactive measures to monitor their credit card activity. We also immediately engaged law enforcement, cyber-forensic specialists, and appropriate credit card companies to coordinate investigation efforts and to take further steps to assist our guests. After a thorough investigation, we now know more about the incident and are notifying affected guests. We have established a call center that is prepared to address any questions our guests may have about the breach. We regret that this incident occurred and are sorry for any inconvenience it may cause. We take the safety and security of our guests and their personal information very seriously, and the trust our guests place in us remains an absolute priority.
From our investigation, it appears that a hacker used malware to obtain access to certain credit card systems in a number of Mandarin Oriental hotels. We believe this hacker may have used the malware to acquire the names and credit card numbers of guests who used a credit card for dining, beverage, spa, guest rooms, or other products and services at the following Mandarin Oriental properties during these time periods; we have not, however, found any evidence of acquisition or misuse of credit card pin numbers or security codes, or any other personal guest data:
Mandarin Oriental, Boston between June 18, 2014 and March 12, 2015
Mandarin Oriental, Geneva between June 18, 2014 and March 3, 2015
Mandarin Oriental, Hong Kong between June 18, 2014 and February 10, 2015
Mandarin Oriental Hyde Park, London between June 18, 2014 and March 5, 2015
Mandarin Oriental, Las Vegas between June 18, 2014 and October 16, 2014
Mandarin Oriental, Miami between June 18, 2014 and March 3, 2015
Mandarin Oriental, New York between June 18, 2014 and January 18, 2015
Mandarin Oriental, San Francisco between June 18, 2014 and February 14, 2015
Mandarin Oriental, Washington DC between June 18, 2014 and January 20, 2015
The Landmark Mandarin Oriental, Hong Kong between June 18, 2014 and February 3, 2015
Since we were first alerted to this attack, we have been investigating this incident across multiple countries and properties, and working in coordination with law enforcement and the credit card companies. We have timed this notice to avoid disrupting or impeding their concurrent investigations. We have also taken comprehensive steps to ensure that the malware has been removed and that the hacker is no longer in our systems.
In some instances, a credit card company may have already replaced the potentially affected credit card if it determined that the guest was at risk. We encourage potentially affected guests to remain vigilant for instances of fraud and identity theft, and to regularly review and monitor relevant account statements and credit reports to ensure the information contained in them is accurate. If any unauthorized charges on credit or debit card(s) are detected, guests should contact their card issuer. If anything is seen that is incorrect on credit reports, guests should contact the credit reporting agency. Suspected incidents of identity theft should be reported to local law enforcement. Even if no signs of fraud are found on reports or account statements, security experts suggest that credit reports and account statements should be checked periodically.
FOR UNITED STATES RESIDENTS
Individuals who believe they may be affected by this incident may elect to place a fraud alert with the major credit reporting agencies on their credit files. Their contact information is as follows:
Equifax Equifax Information Services LLC
P.O. Box 14473
Atlanta, GA 30348-5069 800-525-6285 www.equifax.com
Experian Experian Fraud Reporting
P.O. Box 14473
Allen, Texas 75013 888-397-3742 www.experian.com
TransUnion TransUnion LLC
P.O. Box 14473
Fullerton, California 92834-6790 800-680-7289 www.transunion.com
A fraud alert lasts 90 days, and requires potential creditors to use “reasonable policies and procedures” to verify their identity before issuing credit in their name (as soon as one agency is notified, the others are notified to place fraud alerts as well). Individuals can also request these agencies to provide them with a copy of their credit report. The fraud alert can be kept in place at the credit reporting agencies by calling again after 90 days.
Individuals can also ask these same credit reporting agencies to place a security freeze on their credit report. A security freeze prohibits a credit reporting agency from releasing any information from an individual’s credit report without written authorization. Placing a security freeze on the credit report may delay, interfere with, or prevent the timely approval of any requests from the individual concerned. This may include requests for new loans, credit, mortgages, employment, housing or other services. If individuals want to have a security freeze placed on their account, they must make a request in writing by certified mail to the reporting agencies. The reporting agencies will ask for certain personal information, which will vary depending on where the individual lives and the credit reporting agency. It normally includes name, social security number, date of birth, and current and prior addresses (and proof thereof), and a copy of government-issued identification.
The cost to place, temporarily lift, or permanently lift a credit freeze varies by state. Generally, the credit reporting agencies will charge $5.00 or $10.00. However, if the individual is the victim of identity theft and has a copy of a valid investigative or incident report, or complaint with a law enforcement agency, in many states it is free. Individuals have the right to a police report under certain state laws.