Travelers who used a hotel business center computer received bad news from the federal government: Cyber criminals may have stolen their login credentials.

Security blogger Brian Krebs on Monday reported that he had obtained a copy of a warning privately issued by the Department of Homeland Security's National Cybersecurity and Communications Integration Center to various hospitality groups.

The bulletin said multiple Dallas/Fort Worth hotel business center computers had been compromised by criminals who installed keylogging software that lets a criminal easily see a user's every stroke, harvesting login information and passwords. 

“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors' email accounts,” the warning read. “The suspects were able to obtain large amounts of information including other guests' personally identifiable information, login credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center's computers.”

“Using a hotel computer is like sending a postcard. Everybody sees what you are writing,” said Rick Dakin, CEO of security company Coalfire.

In most instances, traveling credit union executives would not be readily able to log into sensitive, institutional computers from such a public computer, experts said.  But that executive, as well as members, could log into personal email, home banking, and in many ways leave behind a trail of credentials for criminals to seek to mine.

Dakin said that in his opinion there will be no easy way to improve security at hotel business centers. The devices, in many instances, are unattended much of the day. Security oversight generally is minimal. The scenario creates a perfect context for criminals to install malware, he said, adding that a traveling executive population is an attractive target group for criminals.

Dakin said he expects hospitality industry lawyers to step up notifications that the devices may be insecure, thereby lessening the risks of successful litigation. 

But that will do nothing to improve security for users, he added.

Security experts are now advising hotel guests to not use business center computers, certainly not for sensitive tasks that involve keying in usernames and passwords.