Trump Hotel Collection, the hotel chain of Republican presidential candidate Donald Trump, has apparently exposed personal information of customers in hacks. Over 70,000 credit card numbers and other PII details have been leaked. The hotel chain has agreed to pay $50,000 in penalties and has promised to improve its data security practices.
The charges against the Trump Hotel Collection outline that it didn’t provide adequate protection. Furthermore, they didn’t inform the people affected, which is in direct breach of New York law.
New York Attorney General Eric T. Schneiderman has said in a statement that:
It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law.
How the Hacks Were Discovered
A 2015 analysis on fraudulent credit card transactions carried out by several banks revealed that THC was the last merchant where a legitimate transaction had been made using the cards. This is how it was suggested that THC had been targeted in a cyberattack that ended with a data breach.
News of the breach was initially reported by infosec writer Brian Krebs, who cited three unnamed sources in the financial sector.
Krebs wrote that the cards were used at several Trump Hotel buildings such as Trump International Hotel New York, Trump Hotel Waikiki in Honolulu and the Trump International Hotel and Tower in Toronto.
Investigations later found out that a person with access to legitimate domain administrator credentials had infiltrated the chain’s payment processing system in May 2014. Then, that person planted malware for stealing credit card information (infostealer). This was later observed in computer networks at multiple locations, including the New York, Las Vegas and Chicago hotels, according to the statement by the attorney general’s office.
On March 30 2016 researchers also found that THC had been in another breach with the attacker gaining access on November 10 last year and installing malware for harvesting credit card information on 39 systems in five Trump hotel properties, CSO Online reports.