Home » Corporate » Currently Reading:

Notice Regarding Mandarin Oriental Credit Card Breach

July 13, 2015 Corporate No Comments Email Email

Earlier this year, Mandarin Oriental discovered a malware attack on our credit card systems in a number of our hotels listed below.  In response, we issued a public statement on our website to alert guests to the attack so they could take proactive measures to monitor their credit card activity. We also immediately engaged law enforcement, cyber-forensic specialists, and appropriate credit card companies to coordinate investigation efforts and to take further steps to assist our guests. After a thorough investigation, we now know more about the incident and are notifying affected guests. We have established a call center that is prepared to address any questions our guests may have about the breach. We regret that this incident occurred and are sorry for any inconvenience it may cause. We take the safety and security of our guests and their personal information very seriously, and the trust our guests place in us remains an absolute priority.

From our investigation, it appears that a hacker used malware to obtain access to certain credit card systems in a number of Mandarin Oriental hotels. We believe this hacker may have used the malware to acquire the names and credit card numbers of guests who used a credit card for dining, beverage, spa, guest rooms, or other products and services at the following Mandarin Oriental properties during these time periods; we have not, however, found any evidence of acquisition or misuse of credit card pin numbers or security codes, or any other personal guest data:

Mandarin Oriental, Boston between June 18, 2014 and March 12, 2015
Mandarin Oriental, Geneva between June 18, 2014 and March 3, 2015
Mandarin Oriental, Hong Kong between June 18, 2014 and February 10, 2015
Mandarin Oriental Hyde Park, London between June 18, 2014 and March 5, 2015
Mandarin Oriental, Las Vegas between June 18, 2014 and October 16, 2014
Mandarin Oriental, Miami between June 18, 2014 and March 3, 2015
Mandarin Oriental, New York between June 18, 2014 and January 18, 2015
Mandarin Oriental, San Francisco between June 18, 2014 and February 14, 2015
Mandarin Oriental, Washington DC between June 18, 2014 and January 20, 2015
The Landmark Mandarin Oriental, Hong Kong between June 18, 2014 and February 3, 2015

Since we were first alerted to this attack, we have been investigating this incident across multiple countries and properties, and working in coordination with law enforcement and the credit card companies. We have timed this notice to avoid disrupting or impeding their concurrent investigations. We have also taken comprehensive steps to ensure that the malware has been removed and that the hacker is no longer in our systems.

In some instances, a credit card company may have already replaced the potentially affected credit card if it determined that the guest was at risk. We encourage potentially affected guests to remain vigilant for instances of fraud and identity theft, and to regularly review and monitor relevant account statements and credit reports to ensure the information contained in them is accurate. If any unauthorized charges on credit or debit card(s) are detected, guests should contact their card issuer. If anything is seen that is incorrect on credit reports, guests should contact the credit reporting agency. Suspected incidents of identity theft should be reported to local law enforcement. Even if no signs of fraud are found on reports or account statements, security experts suggest that credit reports and account statements should be checked periodically.


Fraud alert

Individuals who believe they may be affected by this incident may elect to place a fraud alert with the major credit reporting agencies on their credit files. Their contact information is as follows:


Equifax Information Services LLC
P.O. Box 105069
Atlanta, GA 30348-5069




Experian Fraud Reporting
P.O. Box 9554
Allen, Texas 75013




TransUnion LLC
P.O. Box 6790
Fullerton, California 92834-6790



A fraud alert lasts 90 days, and requires potential creditors to use “reasonable policies and procedures” to verify their identity before issuing credit in their name (as soon as one agency is notified, the others are notified to place fraud alerts as well). Individuals can also request these agencies to provide them with a copy of their credit report. The fraud alert can be kept in place at the credit reporting agencies by calling again after 90 days.

Security freeze

Individuals can also ask these same credit reporting agencies to place a security freeze on their credit report. A security freeze prohibits a credit reporting agency from releasing any information from an individual’s credit report without written authorization. Placing a security freeze on the credit report may delay, interfere with, or prevent the timely approval of any requests from the individual concerned. This may include requests for new loans, credit, mortgages, employment, housing or other services. If individuals want to have a security freeze placed on their account, they must make a request in writing by certified mail to the reporting agencies. The reporting agencies will ask for certain personal information, which will vary depending on where the individual lives and the credit reporting agency. It normally includes name, social security number, date of birth, and current and prior addresses (and proof thereof), and a copy of government-issued identification.

The cost to place, temporarily lift, or permanently lift a credit freeze varies by state. Generally, the credit reporting agencies will charge $5.00 or $10.00. However, if the individual is the victim of identity theft and has a copy of a valid investigative or incident report, or complaint with a law enforcement agency, in many states it is free. Individuals have the right to a police report under certain state laws.

Information about how to avoid identity theft

Besides local law enforcement, individuals can also report suspected instances of identity theft to their Attorney General, or the Federal Trade Commission (the “FTC”). The FTC, state Attorneys General, and major credit reporting agencies can provide additional information on how to avoid identity theft, how to place a fraud alert, and how to place a security freeze on credit reports. The FTC can be contacted on its toll-free Identity Theft helpline: 1-877-438-4338. The FTC’s website is http://www.ftc.gov/idtheft. Its address is Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580. InMaryland, the State Attorney General’s office can be reached by phone at (888) 743-0023. Its website is http://www.oag.state.md.us/. In North Carolina, the State Attorney General’s office can be reached by phone at (919) 716-6400. Its website is http://www.ncdoj.gov. Their mailing addresses are:

Douglas F. Gansler

Roy A. Cooper

Attorney General of the State of Maryland

Attorney General of the State of North Carolina

Office of the Attorney General

Consumer Protection Division, Attorney General’s Office

200 St. Paul Place

Mail Service Center 9001

Baltimore, MD 21202

Raleigh, NC 27699-9001

Further information

Consumers who have questions about this notice or this incident, or have requests for further assistance should call: (877) 202-4625 (for calls from the United States and Canada);  800-87777888 (for calls from the United Kingdom); 0800561270 (for calls fromSwitzerland); 800901342 (for calls from Hong Kong); and 606-878-4212 (for all other calls). Please use this reference number when calling: 6322070615.

Comment on this Article:

Time limit is exhausted. Please reload CAPTCHA.

Platinium Partnership


Elite Partnership Sponsors


Premier Partnership Sponsors


Official Media Event Partner


Global Travel media endorses the following travel publication