Hilton has acknowledged that something has happened, but have not go so far as to own up to a breach. They stand by their security systems and are insisting that they do everything possible to ensure the safety and security of their customers’ data. Of course, this statement does not really mean anything as even with those sentiments it is still possible to have a breach and lose data. Most companies are very tight-lipped when it comes to a breach so this statement is not unusual. There are many reasons for this stance; some good and some bad. On the pro side if there is an ongoing breach you do not always want to alert the bad guys. If they know you are looking they can often hide their activity or start to do damage to cover their tracks. Sadly it is usually more about company reputation and protection than it is about real security.
As things stand right now it looks like the target was (once again) the Point of Sale system. In the last few years these terminals have become a bigger and bigger target due to come inherent security flaws in how they operate. In some cases these systems have default root passwords, run on older embedded systems (that have little to no updates) and often leave remote access tools on for convenience. Although there are more restrictive regulations in place to cover securing this environment the adoption rate is slow and far too many business file business exceptions or simply ignore them feeling that the risk of a breach Vs the cost of properly securing these systems is acceptable.
We will be keeping our eye open for any additional information on this one.