Noble House Hotels & Resorts Notifies Guests of Payment Card Security Incident

Share Button

KIRKLAND, Wash., Sept. 2, 2016 /PRNewswire/ — Noble House Hotels & Resorts values the relationship it has with its guests and takes its obligation to protect payment card information seriously.  When Noble House was notified by the Secret Service about possible fraudulent activity on the payment card system at one of its properties, Ocean Key Resort & Spa, it engaged a computer security firm to examine the payment systems at all of the properties it manages for any signs of an issue.  Through its investigation, it learned that malware may have been installed on payment processing systems that potentially affected cards swiped at the following hotels, restaurants, and bars during the periods identified:

  • Kona Kai Resort & Spa, San Diego, CA, including the Vessel restaurant and the Tiki Bar, from April 25, 2016August 3, 2016;
  • Little Palm Island Resort & Spa, Florida Keys, FL, including the Little Palm Island Dining Room, from April 25, 2016June 8, 2016;
  • The Portofino Hotel & Marina, Redondo Beach, CA, including the Baleen Kitchen & Lounge restaurant and the Living Room Bar, from April 26, 2016June 8, 2016;
  • The Edgewater, Seattle, WA, including the Six Seven restaurant, from April 26, 2016August 3, 2016;
  • Ocean Key Resort & Spa, Key West, FL, including the Hot Tin Roof Restaurant, Sunset Pier bar, and LIQUID Pool Bar between April 26, 2016 and June 8, 2016;
  • River Terrace Inn, Napa, CA, including the Terrace Café & Wine Bar, from April 25, 2016June 8, 2016;
  • LaPlaya Beach & Golf Resort, Naples, FL, including the Baleen restaurant and the Tiki Bar, from April 26, 2016August 3, 2016;
  • Mountain Lodge at Telluride, Telluride, CO, including The View restaurant, from April 26, 2016August 5, 2016;
  • Hotel Deca, Seattle, WA, from April 25, 2016June 8, 2016;
  • Blue Mermaid restaurant, San Francisco, CA from April 26, 2016August 3, 2016;
  • Pescatore restaurant, San Francisco, CA from April 26, 2016August 3, 2016;

The information potentially compromised involved data found in the magnetic stripe on payment cards, including payment card number, payment card expiration date, CVV number, and may have included the payment cardholder’s name.  We have no evidence that any cards used at these businesses outside of the periods identified were affected.

If guests used a payment card at one of the above hotels, restaurants, and bars during the dates listed above, we recommend that they remain vigilant to the possibility of fraud by reviewing their account statements for any unauthorized activity.  If they see any unauthorized charges, guests should contact the bank that issued their card as soon as possible.  The credit card companies typically guarantee that cardholders will not be responsible for fraudulent charges. Additionally, if guests incurred costs that their financial institution declined to reimburse related to fraudulent charges on a payment card used at one of the above hotels, restaurants, and bars during the dates listed above, Noble House will reimburse guests for any such reasonable, documented costs that their financial institution declined to pay.

Noble House was able to notify all individuals for whom we had contact information.  However, because of the nature of the incident, we were not able to directly contact all potentially affected guests.  If guests have any questions regarding this incident, they may call (866) 877-7528, Monday through Friday between the hours of 9 am and 5 pm Eastern time.  For additional information about this incident please visit our website at

According to John Christly, CISO at Netsurion, a provider of remotely-managed security services for multi-location businesses

“This is just the latest case of a hotel chain being breached, and it won’t be the last. Hospitality companies are in an ongoing digital war with cybercriminals seeking payment card data—and the war is being won far too often by these hackers. Any business that processes payment data or offers free Wi-Fi is a profitable breach target. But widespread chains like Kimpton are especially appealing to hackers because of their troves of valuable data such as credit card information, sensitive employee data and sometimes even medical data used by in-house care facilities.

Traditional cybersecurity defenses are no longer enough. New defensive approaches, advanced cybersecurity tools and increased cyber intelligence must be deployed, which usually come from a relationship with an outside vendor. These vendors have the specialized knowledge needed to understand what the tools and resulting information being gathered are telling you. Possible tools include things like File Integrity Monitoring, Unified Threat Management (UTM) appliances, Security Information and Event Management (SIEM) and next-generation endpoint security solutions.

When systems like this are in place and managed appropriately, the processes within the programs and the computer operating system and memory will be watched for suspicious activity— and those tools will talk to other tools that have even deeper threat intelligence from a network of other deployed sensors. It’s very difficult to defend against today’s emerging cyberthreats on your own. For the best outcome, these advanced toolsets should be outsourced to a managed security firm specializing in this type of service—which includes expert threat researchers constantly patrolling for new activity that could point to hackers  trying to steal data from your systems. This proactive approach will help to keep organizations out of the breach headlines.”


About the Author