Trump Hotels announced Tuesday that data had been breached at 14 of its locations, including those in Las Vegas and Chicago, CNBC reports. Customers’ payment card numbers and security codes were seized by hackers who entered the systems of Sabre, a third party that manages reservations for Trump Hotels.
Lee Matthews of Forbes says hackers accessed Sabre’s SynXis Central Reservations system, which contains data pertaining to just 35,000 of Sabre’s 100,000 plus clients. A Sabre spokesperson told Matthews that “less than 15 percent of the average daily bookings on the Sabre Hospitality Solutions reservation system[…]were viewed””
Sabre learned of the attack in June, and disclosed it to Trump Hotels, whose systems the perpetrators accessed from August 10, 2016 to March 9, 2017, on June 5.
In Tuesday’s statement, Trump Hotels “recommends that affected individuals remain vigilant for incidents of fraud and identity theft by regularly reviewing account statements and monitoring free credit reports for any unauthorized activity.” If customers do detect unusual activity, the statement advises them to contact their financial institutions, law enforcement agencies, or the Federal Trade Commission.
Cybersecurity at Trump Hotels has been compromised at least three times in just over two years. According to a report by Jose Pagliery of CNN, Trump Hotels management acknowledged in September 2015 that computer systems at the hotel were infiltrated by a virus, which evidently monitored keystrokes and seized payment information, including credit card numbers, expiration dates, security codes, and cardholders’ names, as employees typed it into the computer. Trump Hotels was unsure whether that virus was able to access data stored on the computers, or merely intercept it as it was inputted.
The sensitive information of anyone who stayed at a Trump Hotels location between May 19, 2014 and June 2, 2015 may have been vulnerable, the company said, although “an independent forensic investigation has not conclusively determined [as of September 2015] that any particular customer’s payment card information was taken.”
A legal investigation spearheaded by New York Attorney General Eric Schneiderman found that Trump Hotels was aware of the 2015 breach as early as June of that year, when, Schneiderman’s report says, “a preliminary forensic investigation confirmed the existence of credit card targeting malware at multiple THC locations, including in the computer networks associated with New York, Las Vegas and Chicago hotels.” But the company failed to notify the public until September.
On April 4, 2016, the hotel chain said its computer systems had been compromised again, Pagliery reported on April 5 of that year. Pagliery quoted Eric Trump as saying that Trump Hotels, “like virtually every other company these days, [is] routinely targeted by cyber terrorists whose only focus is to inflict harm on great American businesses.”
But apparently, Trump Hotels had taken no steps to reduce the size of the target on its own back: the company “never implemented the cybersecurity plan they were given to prevent a second attack,” The Huffington Post’s Christina Wilkie reported in September 2016.
Following Schneiderman’s investigation, Trump Hotels was ordered to pay $50,000 in a legal settlement due to the hotel chain’s failure to promptly notify the public of the 2015 hack and to shore up its cybersecurity in that attack’s aftermath
This most recent incident, of course, is not a direct breach of Trump Hotels security, but a result of vulnerabilities in the computer systems of a contractor with which Trump Hotels works closely. Still, Trump Hotels will no doubt be held responsible by customers whose information was stolen.
The hotel chain has indicated no intention of cutting ties with Sabre, but wary potential customers would presumably feel more confident about staying in Trump hotels if the company took some action to bolster its cybersecurity.