Hotels data breach could lead to tipping point
White Lodging Services on Tuesday continued its investigation into a customer data security breach at more than a dozen Marriott, Starwood, Intercontinental and Carlson Rezidor-owned hotels it manages for those companies.
Customers who used credit or debit cards in the 14 hotels' restaurants or gift shops from March 20 to Dec. 16, 2013, may have had their card numbers stolen, along with their security codes and expiration dates, White Lodging confirmed Monday.
In addition to the 14 hotels hit at their restaurant locations, only one was also breached at its property management system that also manages guests' credit card information. That one hotel is the Radisson Star Plaza, located in Merrillville, Ind., which is the same town where White Lodging Services is headquartered.
The hotels are only the latest to get hit, and this breach was made public only after security researcher Brian Krebs reported it on his website Friday.
(Read more: Target apologizes for data breach at Senate hearing)
Eventually the public will call for changes, another technology expert argued.
"As we've seen with recent data breaches at retailers such as Target, Neiman Marcus and Michaels, credit card theft and related [breaches] is becoming business as usual these days. We might very well see a tipping point this year that finally draws national laws on reporting of such theft/breaches at a much deeper level than we have now." Marc Maiffret, the chief technology officer of BeyondTrust, said in an email to CNBC.
"I think this illumination that is happening now will continue to grow this year and reach a point where people will demand total transparency of data breaches at a federal level beyond the specific state level reporting laws we have now," said Maiffret, who said before he went legit, spent the early part of his life illegally hacking into companies and governments until being raided by the FBI, but was never arrested.
(Read more: Hotels testing keyless entry via smartphone app)
White Lodging on Tuesday did not respond to requests for more information, but some of the hotels did.
"Radisson deeply values the privacy of the personal information of our guests. The brand is working closely with White Lodging, the management company for our franchisee and the other 13 impacted hotels, as they investigate the breach at the Radisson Star Plaza in Merrillville," read a statement sent to CNBC on Tuesday by Carlson Rezidor, which owns Radisson, Park Plaza, Country Inns & Suites and Hotel Missoni.
"This is the only Radisson hotel managed by White Lodging. Since there is no evidence that the suspected breach originated with or impacted any systems that Radisson or Carlson Rezidor Hotel Group owns or controls, we do not have additional information to provide at this time."
Marriott had nine properties tied up in the breach: Marriott Midway in Chicago; Marriott Boulder in Boulder, Colo.; Marriott Denver South in Denver; Marriott Austin South in Austin, Texas; Marriott Indianapolis Downtown in Indianapolis; the Marriott Richmond Downtown in Richmond, Va; the Marriott Louisville Downtown in Louisville, Ky.; the Renaissance Broomfield Flatiron on Broomfield, Colo.; and the Renaissance Plantation in Plantation, Fla.
"We are working closely with the franchise management company as they investigate the matter," Marriott said in a statement issued Saturday. "Since this impacts customers of Marriott properties, we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely."
InterContinental Hotels Group had two properties on the list: the Holiday Inn Midway in Chicago and the Holiday Inn Austin Northwest in Austin. "IHG is committed to protecting the privacy and personal information of our guests. IHG is in communication with White Lodging, who continues to provide updates on the investigation to their business partners, as well as to consumers via their website," the company said in a statement.
Starwood, which owns Sheraton and Westin hotels, also had two hotels on the list: the Sheraton Erie Bayfront in Erie, Pa., and Westin Austin at The Domain in Austin. "As you can imagine, the privacy and security of our guest information are very important to Starwood and we are working closely with White Lodging as they conduct their investigation," the company said in a statement to CNBC.
"To our knowledge, the system that manages hotel guests' credit card information was not affected at either of our properties."
White Lodging manages other Starwood properties but only those two appear to have been impacted, a company spokesperson said.
(Read more: Smart airline tray tables to serve up tablet ads)
White Lodging did not say how many customers may be impacted, but it said on its website it's urging all guests to review their credit card statements from that time period. White Lodging said it is arranging to offer one year of complimentary personal identity protection services to all affected cardholders.
—By CNBC's Amy Langfield. Follow her on Twitter at @AmyLangfield.
Follow Road Warrior on Twitter at @CNBCtravel.