The Trump Hotel Collection confirmed this week that they had in fact fallen victim to a malware infection. The infection was specific to their property in Las Vegas according to the breach notification that was posted on Friday.
The malware was apparently meant to target the payment information of the customers who stayed at the hotel. Their investigation was not able to determine if, or how much, data was exfiltrated from the company systems but, they did learn that the malware was affecting their payment systems.
If the carders who attacked the Trump Hotel systems were able to make off with customer data this could become fodder for the U.S. Presidential race where Donald Trump, owner of Trump Hotel Collection (THC), is seeking the highest office.
The data breach affected customers who stayed at the hotel from May 19th to June 2 this year.
From the THC breach notice:
We want to make potentially affected customers aware of steps they can take to guard against identity theft or fraud. We recommend that you review your credit and debit card account statements as soon as possible in order to determine if there are any discrepancies or unusual activity listed. You should remain vigilant and continue to monitor your statements for unusual activity going forward.
This is good practice to get into even if you have not been affected by a data breach such as the one that Trump Hotel Collection has suffered.
The company is working with the FBI, banks and a third party forensic company to work on getting to the bottom of the breach. I would hazard a guess that the carders who attacked the Trump systems will not be caught. This sort of activity has been targeting hotels and retail companies for a while now. We’ve seen big names such as Target, Home Depot and others fall to this sort of data breach.
What will it take for these sort of breaches to be curtailed? Defending an enterprise is no small task and companies need to do a better job of shoring up their defenses in order to safeguard the data. Your data.
The company is providing a year of "complimentary fraud resolution and identity protection services” which, to be fair, is mandated by law. The problem here is that this is only available for U.S. citizens. If you were a hotel guest from another country that stayed there from May 19 - June 2, 2015 you’re out of luck it would seem.
While their unnamed forensics firm was not able to determine if data was exfiltrated I would hazard a guess that this was the case. If so, this will confirm the story that broke this story back in July.
Always keep an eye on your financial statements and credit card transactions. It is just good practice.