Hackers were able to steal sensitive details of guests at 14 Trump hotels between August and March, including credit card numbers, expiration dates and security codes.
A cyber-attack on Sabre Hospitality Solutions’ Central Reservation system compromised sensitive details of guests at 14 Trump hotels.
The said cyber-attack lasted eight long months and compromised details of guests at several hotel chains including Trump Hotels, Hard Rock Hotels, Loews Hotels and the Four Seasons hotels and resorts. In all, details stored by over 500 companies on Sabre Hospitality Solutions’ Central Reservation system were breached as a result of the cyber-attack.
An investigation on the data breach revealed that an ‘unauthorized party first obtained access to Trump Hotels-related payment card and other reservation information on August 10, 2016. The last access to this information was on March 9, 2017,” said Trump Hotels in a press release.
Data obtained by hackers as a result of the breach included names, email addresses, phone numbers, residential addresses, and payment details of guests like cardholder names, payment card numbers, card expiration dates, and card security codes. According to Trump Hotels, Sabre Hospitality Solutions have notified law enforcement and have engaged a leading cyber security firm to support its investigation.
The hotel chain has advised affected customers to remain vigilant for incidents of fraud and identity theft and to report any suspicious or unusual activity to their respective financial institutions. If fraudulent charges are reported timely, major credit card companies may not require customers to pay for them.
Between September 29 and December 29, unnamed hackers had also gained access to a large number of customer card details by hacking into the InterContinental Hotels Group’s payment servers. The hotel chain did not detect the intrusions until it was alerted to the breach by one of its card providers in March.
“The string of recent security breaches highlights the challenges faced by many hospitality and travel companies today. In particular, security failures are an inherent problem within many older systems that have evolved over very many years. Increasingly fraudsters have identified the travel technology sector as being weak with online fraud almost doubling in the past year,” said Jason Perhar, senior security advisor at PCI Booking.
“This issue has become very serious, especially with hotels and travel companies that have been slow to invest in readily available security solutions such as tokenization of card data on the fly as it is passed from online bookers and GDSs,” he added.
It is expected that strict adherence to the PCI DSS cyber security standards as well as to the upcoming General Data Protection Regulation (GDPR) will ensure hotels and other large businesses will be able to protect their servers as well as confidential customer data from falling into the hands of professional hackers.
The GDPR mandates that erring firms who fail to protect their data will be liable to pay either 4% of their annual worldwide turnover or €20 million, whichever will be higher, as fines.