Hackers again stole guests’ credit card data from Trump Hotels

Trump Hotels admitted that hackers stole credit card and other sensitive information about guests who stayed at 14 Trump properties via a breach of Sabre Hospitality Solutions, the third-party reservation booking system used by Trump Hotels. The unauthorized access occurred between August 10, 2016 and March 9, 2017.

While being hacked is nothing new to Trump Hotels, it is far from the only hotel group affected in the latest breach. Third-party reservation provider Sabre claims its SynXis Central Reservation system serves “over 36,000 properties.” Security journalist Brian Krebs broke the news of the Sabre breach back in May.

Within the past two weeks, Four Seasons Hotels and Resorts, Hard Rock Hotels & Casinos, Loews Hotels, Carlson Wagonlit Travel used by some Google employees (pdf) and now Trump Hotels started notifying customers of the data breach.

Trump Hotels, which claims “the privacy and protection of our guests’ information is a matter we take very seriously,” said (pdf) Sabre notified it about the breach on June 5. The Trump Hotels’ notice echoed Sabre’s notice of data breach about the unauthorized access of Sabre Hospitality Solutions SynXis Central Reservation System. Guests at 14 Trump properties (pdf) were advised to take steps to protect themselves against potential misuse of their information since the security incident involved unauthorized access to payment card information

“including cardholder name, payment card number, card expiration date, and potentially card security code. In some cases, the unauthorized party also was able to access guest name, email, phone number, address, and other information. Information such as Social Security, passport, and driver’s license number was not accessed.”

Trump Hotels got a day’s heads-up from Sabre, which notified Four Seasons Hotels and Resorts and Hard Rock Hotels and Casinos of the breach on June 6. Hard Rock notified customers on July 6, with Four Seasons and Trump Hotels waiting almost another week to break the bad news.

Still, that is better than when Trump Hotels learned of a May 2014 breach in June 2015, but did not notify guests until four months later. That mistake resulted in Trump Hotels paying $50,000 in penalties in September 2016 as it resulted in the payment card information for more than 70,000 guests being exposed.

As the Washington Post pointed out, five more Trump hotels were breached in November 2015. “Four months later, in March, an attacker tapped into a legacy payment system that included personal information of Trump Hotel property owners, including names and Social Security numbers of more than 300 people.”

This go-around, Trump Hotels said in a letter, “We are working with Sabre to address this issue. We understand that Sabre engaged a leading cybersecurity firm to support its investigation. Sabre indicated that they also notified law enforcement and the payment card brands about this incident.”

The Sabre incident affecting luxury hotels and resorts is not the only one this year. For example, as you may recall from April, InterContinental Hotels admitted that 1,200 of its franchised hotels, such as Holiday Inn, had been also been hacked via malware which stole customer payment card data.

“Why are hackers targeting hotels? Well, because they’re a good target,” Peter W. Singer, a senior fellow at the New America Foundation, told the Post. “Then you look at Trump’s hotels, and they’re obviously a highly symbolic target. If more people are staying there in an attempt to curry favor with the government, the fishing pool of targets is certainly greater than it was prior to November.”